Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Important update for Yahoo! Messenger - 12/05/0 3

Dec 5, 2003 10:36AM PST

Madrid, December 5 2003 - Yahoo! has reported(*) that a vulnerability has
been detected in Yahoo's instant messaging client that could be exploited
remotely to run arbitrary code and take control of the affected system.

This problem stems from a buffer overflow in the "yauto.dll" library,
through the "Open()" function. An attacker could construct a web page that
sends an overlong argument to the function to provoke a buffer overflow on
the system.

According to Yahoo!, the problem only affects Yahoo! Messenger users who
have modified the configuration of Internet Explorer, switching the default
medium security settings to low.

(*) Yahoo! has published -at
http://messenger.yahoo.com/security/update4.html - a web page with
information about this vulnerability. This page also includes an automatic
checker -to test if the system is vulnerable- and has the patch to resolve
the problem.

Discussion is locked

- Collapse -
(nt) i was ok ty
Dec 5, 2003 12:19PM PST

.

- Collapse -
That is only the tip of the iceberg, Marianna
Dec 5, 2003 2:02PM PST

Anyone using Low settings for general internet surfing is a fool. There is no security in that level, and a potential but unlikely-to-happen buffer overflow in Messenger is the least danger they face. I could think of hundreds more which will cause more lasting damage.

The message is simple and serious:
1. Do NOT use LOW settings in Internet Explorer for ANYTHING! That includes local intranets, as even these can be compromised, leaving the network users open to attack.

2. Even Internet Explorer's Medium is pretty much inadequate these days, and should be the baseline from which you work upwards in your implementation of security measures.

3. Learn your browser and your system, then customise, Customise, CUSTOMISE!

4. Never accept software defaults designed for ease of use. Remember - "easy to use" = "easy to attack".

- Collapse -
NT - Good advices Dale!
Dec 5, 2003 7:33PM PST

`?

- Collapse -
(NT) Good advice worth repeating... :)
Dec 5, 2003 10:54PM PST
Wink