Overview
The Yahoo! Music Jukebox YMP Datagrid ActiveX control contains multiple stack buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Description
Yahoo! Music Jukebox is a music player for Microsoft Windows, which includes multiple ActiveX controls. The YMP Datagrid ActiveX control, which is provided by datagrid.dll, contains multiple stack buffer overflows. For example, the AddImage() and AddButton() methods are vulnerable. |
Impact
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system. |
Solution
Apply an update This vulnerability is addressed in Yahoo! Media Jukebox version 2.2.2.058, which comes with datagrid.dll version 2.2.2.58. This update may be applied with the automatic update functionality of the Yahoo! Media Jukebox software, or you can install it manually. Please see the Yahoo! Music Jukebox Security Update for more details. |
|
Vendor Information
CVSS Metrics
Group | Score | Vector |
---|---|---|
Base | ||
Temporal | ||
Environmental |
References
Acknowledgements
This vulnerability was publicly disclosed by Krystian Kloskowski
This document was written by Will Dormann.
Other Information
CVE IDs: | CVE-2008-0623, CVE-2008-0624 |
Severity Metric: | 21.42 |
Date Public: | 2008-02-02 |
Date First Published: | 2008-02-05 |
Date Last Updated: | 2008-02-13 15:42 UTC |
Document Revision: | 23 |