Yahoo fills in Messenger hole

The Web portal fixes Messenger 5.0 after learning a security vulnerability could allow hackers to delete files on a person's computer.

Jim Hu Staff Writer, CNET News.com
Jim Hu
covers home broadband services and the Net's portal giants.
Jim Hu
2 min read
A security vulnerability that could allow hackers to delete files on someone's computer has prompted Yahoo to issue a fix for the latest version of its popular instant messaging software.

The vulnerability allows hackers to impose a "buffer overflow" attack, meaning they could imbed a potentially harmful executable program on someone's computer. Using Yahoo Messenger as its conduit, hackers could delete files or cripple a computer's security.

Yahoo updated the 5.0 version of its service Friday after the exploit was discovered. A Yahoo spokeswoman said the company began Tuesday to encourage Messenger users to download the new build of the software, which includes a fix for the vulnerability, from Yahoo's Web site.

"Upon learning of the issue, we responded quickly by making an updated version of Yahoo Messenger available," Yahoo spokeswoman Mary Osako said in an e-mail.

Osako declined to say how many Yahoo users were affected, but she reiterated that the update was released for all Yahoo Messenger users. In April, 19.1 million people in the United States used Yahoo Messenger, according to Web measurement company Jupiter Media Metrix. Because Yahoo has many international users, the total number of people potentially affected by the vulnerability is likely much greater.

As of noon Tuesday, there was no information on the Yahoo site about the security hole. The vulnerability was first discovered by Vice Consulting, an information technology consulting firm based in Ho Chi Minh City, Vietnam.

Buffer-overflow vulnerabilities are common flaws in IM services. AOL Time Warner has been troubled by such security holes in its AOL Instant Messenger application. Microsoft also issued a warning on its Web site earlier this month informing people of a similar weakness that affected MSN Messenger software. Microsoft Chairman Bill Gates has earmarked security as a top priority for the company largely because of the company's increased reliance on its .Net initiative, which will offer software and services over the Internet.