Yahoo has released a critical security patch for its Messenger instant messaging client to address zero-day exploits that could compromise PCs remotely, with no or minimal interaction required by the user.

The patch comes after a hacker released two ActiveX exploits for Yahoo Messenger’s Webcam application on the Full Disclosure mailing list.

eEye Digital Security first reported the flaws to Yahoo earlier this week without disclosing specific details of the bug.

eEye gave the problem its highest risk rating.

“ActiveX remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be any site on the Internet,” the security company said in its alert.

All existing versions of Messenger instant messaging client running on Windows are vulnerable to attack, according to eEye.

“The impact of this vulnerability is extensive because it could allow attackers to take complete control of a user’s system, and two public proof-of-concept exploits are available. This leaves many thousands of internet consumers at high risk,” said Andrew Storms, director of security operation for nCircle, a provider of enterprise-class vulnerability and risk management solutions.

Yahoo’s advisory on the problem states that anyone using a version of Messenger instant messaging client running on Windows obtained before Friday should download the update.

Related:

Entry was posted on Saturday, June 9th, 2007 at 11:58 pm under Security, Technology.

Read more entries by Ruben Francia.
Stumble It!