Yahoo IM affected by ActiveX vulnerabilities

Three different ActiveX vulnerabilities affect Yahoo Instant Messenger version 3.5, and Yahoo Messenger versions 4.0, 5.0, and 5.5

On the heels of ActiveX vulnerabilities in the image uploading tools for Facebook and, researchers warned Monday that Yahoo Instant Messenger and Yahoo Messenger are vulnerable to ActiveX-based attacks.

Researcher Elazar Broad has disclosed a Boundary Condition vulnerability within mediagrid.dll, version 2.2.2 56. Researchers Krystian Kloskowski and Broad have disclosed a second Boundary Condition vulnerability within datagrid.dll, version 2.2.2 56c. And Kloskowski alone has disclosed a buffer overflow within datagrid.dll 2.2.2 56, which affects the AddImage function.

The three vulnerabilities are present within Yahoo Instant Messenger version 3.5 and Yahoo Messenger versions 4.0, 5.0, and 5.5, and could allow an attacker to compromise affected systems.

There are no known public exploits for these at this time. There is no patch available.

The existing workaround includes enabling the ActiveX control for each. Microsoft provides more details here. The specific CLSIDs for the ActiveX controls involved are:

Yahoo! MediaGrid: CLSID 22FD7C0A-850C-4A53-9821-0B0915C96139
Yahoo! DataGrid: CLSID 5F810AFC-BB5F-4416-BE63-E01DD117BD6C2

Featured Video
This content is rated TV-MA, and is for viewers 18 years or older. Are you of age?
Sorry, you are not old enough to view this content.

Roku 4: Our favorite TV streaming system gets 4K video and a remote locator

Ever lose your remote in the couch cushions? Ever wish you could stream 4K Netflix without having to use your TV's built-in app? Roku's new high-end player, the $129 Roku 4, brings these new extras to its best-in-class streaming ecosystem.

by David Katzmaier