Overview
A remotely exploitable buffer overflow vulnerability has been discovered in the Yahoo! Audio Conferencing ActiveX control.
Description
The Yahoo! Audio Conferencing ActiveX control is used in the web-based Yahoo! Chat service, as well as in the Win32 Yahoo! Messenger application. There is a remotely exploitable buffer overflow in this ActiveX control that could allow a remote attacker to take various unauthorized actions. In order to exploit this vulnerability, the attacker would need to convince the victim to view malicious HTML (a web page, for example). |
Impact
Various impacts are well summarized in the documentation issued by Yahoo! Inc. in response to this vulnerability: Some common impacts of a buffer overflow might include being involuntarily logged out of a Chat and/or Messenger session, the crash of an application such as Internet Explorer, and in some instances, the introduction of executable code. |
Solution
Update your Yahoo! Audio Conferencing ActiveX control. For detailed instructions, please see the Yahoo! Audio Conferencing Update web page. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://chat.yahoo.com
- http://messenger.yahoo.com/
- http://www.securityfocus.com/bid/7561
- http://zdnet.com.com/2100-1105_2-1011847.html
- http://help.yahoo.com/help/us/mesg/use/use-45.html
- http://silicon.com/news/500019-500013/1/4440.html
- http://www.businessweek.com/technology/cnet/stories/1011847.htm
- http://lists.netsys.com/pipermail/full-disclosure/2003-June/009944.html
Acknowledgements
This vulnerability was discovered by Cesar
This document was written by Ian A Finlay.
Other Information
| CVE IDs: | None |
| Severity Metric: | 3.00 |
| Date Public: | 2003-05-12 |
| Date First Published: | 2003-06-02 |
| Date Last Updated: | 2003-06-02 18:53 UTC |
| Document Revision: | 17 |