Security Updates - Yahoo Messenger
o

ActiveX Control Deactivation

November 20, 2009

Who is affected?

Users of computers that have installed Yahoo! Messenger version 9.x or earlier.

Do I need to update Yahoo! Messenger to the new version?

No. Yahoo! is working with Microsoft to disable the loading of the ActiveX control on the Windows operating system level. More information about this process can be found under http://support.microsoft.com/kb/240797.

How do I get the Security Update?

This will be patched as part of a regularly scheduled Microsoft Secuirty Update. You should ensure that your machine is properly patched with Microsoft Security Updates.

What is the security issue?

Yahoo! recently identified a security issue, commonly referred to as a "null pointer crash" in an ActiveX control. This control is part of the Yahoo! services suite typically downloaded with the installer for Yahoo! Messenger.

How did Yahoo! learn of this?

Yahoo! follows a number of security-related internet forums. This issue was identified on one of those forums.

What is the potential impact?

Some impacts of null pointer crash might include crash of an application such as Internet Explorer, or involuntary log out of a Yahoo! Chat and/or Yahoo! Messenger session. In this case, the problem can only be triggered by viewing a web page that has embedded malicious HTML code, and the result in some versions of Internet Explorer is an error dialog or browser crash.

I'm a technical user. What is the CLSID and exact version of the control that has the problem?

The CLSID is 58916BE6-BAFF-4F33-AEFE-B2AA03FE4C86 and the version 2.0.0.2. If you do not want to wait for the Microsoft Security Update, http://support.microsoft.com/kb/240797 details the process for disabling an ActiveX control without deleting it.