Yahoo plugs Messenger hole

Yahoo this week released an updated version of its instant messaging application to fix a vulnerability in the audio conferencing feature. If exploited, the security hole could give an attacker full control over a Windows computer running the vulnerable software, Yahoo said on its Web site. All versions of Yahoo Messenger downloaded before March 13 are affected, the company said.

For a hack to succeed an attacker would have to trick a Yahoo Messenger user into viewing a malicious Web page, Yahoo said. The flaw lies in an ActiveX control, a small program that can typically be invoked from Internet Explorer. Yahoo will notify its users to install the update over the next several weeks, the company said.