The Channel logo


By | John Leyden 7th June 2007 10:24

Buggy ActiveX controls menace Yahoo! Messenger

Webcam! library! peril!

ActiveX controls - so often the source of Internet Explorer flaws - are the font of two newly discovered flaws in Yahoo! Messenger.

Buffer overflow-related security bugs in the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control and Webcam Viewer (ywcvwr.dll) ActiveX control allow hackers to inject malware onto Windows PCs running the popular instant messenging software.

The vulnerabilities have been confirmed in version of Yahoo! Messenger. Other versions might also be affected, but this remains unconfirmed.

Users are advised to disable the affected ActiveX controls as a workaround, pending a security patch from Yahoo!

The flaws were detailed by white-hat hacker Danny in postings (here and here) to a full-disclosure security list on Wednesday. On Tuesday, security tools firm eEye said it had reported flaws in Yahoo! Messenger 8.

Beyond describing the bugs as high risk, eEye omitted details on the multiple flaws it reported to Yahoo!

Although we can't be sure, it's highly likely the flaws identified by Danny and eEye are one and the same. ®

alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe