On the heels of ActiveX vulnerabilities in the image uploading tools for Facebook and MySpace.com, researchers warned Monday that Yahoo Instant Messenger and Yahoo Messenger are vulnerable to ActiveX-based attacks.
Researcher Elazar Broad has disclosed a Boundary Condition vulnerability within mediagrid.dll, version 2.2.2 56. Researchers Krystian Kloskowski and Broad have disclosed a second Boundary Condition vulnerability within datagrid.dll, version 2.2.2 56c. And Kloskowski alone has disclosed a buffer overflow within datagrid.dll 2.2.2 56, which affects the AddImage function.
The three vulnerabilities are present within Yahoo Instant Messenger version 3.5 and Yahoo Messenger versions 4.0, 5.0, and 5.5, and could allow an attacker to compromise affected systems.
There are no known public exploits for these at this time. There is no patch available.
The existing workaround includes enabling the ActiveX control for each. Microsoft provides more details here. The specific CLSIDs for the ActiveX controls involved are:
- Yahoo! MediaGrid: CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139;
- Yahoo! DataGrid: CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C.
This article was first published as a blog on CNET News.com.
Play video
» Achieve enhanced server performance with energy-efficient blade technology
Error in a CLSID
The CLSID for Yahoo! Datagrid originally published by Symantec and ISC is incorrect and you have copied it here. Please check the original articles, both of which have now been corrected.
Posted by Iain House on Wednesday, February 06 2008 07:27 AM