Webcam

August 21, 2007

Do I need to update Yahoo! Messenger to the new version?

Yes, if you are using a version of Yahoo! Messenger obtained before August 21, 2007.

How do I get the Security Update?

You can download the latest version of Yahoo! Messenger from http://e1.messenger.yahoo.com/download/. Select the typical install option during the install process.

What is the security issue?

Yahoo! recently learned of two security issues in the webcam function. They are commonly referred to as denial-of-service and buffer overflow. The Yahoo! Messenger client downloaded before August 21, 2007 is vulnerable to these issues.

How did Yahoo! learn of this?

Yahoo! has relationships with third-party security organizations and researchers. iDefense Labs informed Yahoo! of this particular security issue.

What is the potential impact?

A denial-of-service attack (also known as DoS attack) is an attack on a computer system that causes a loss of service to users. For this specific security issue, the Yahoo! Messenger exits unexpectedly after accepting a webcam invitation from a malicious attacker.

Some impacts of a buffer overflow might include the introduction of executable code, being involuntarily logged out of a Chat and/or Instant Messaging session, and the crash of an application such as Yahoo! Messenger. For this specific security issue, these impacts could only be possible if an attacker is successful in prompting the Messenger user to accept a webcam invitation.

Who is affected?

Yahoo! Messenger client users who accept a webcam invitation controlled by a malicious attacker. If your computer has installed Yahoo! Messenger before August 21, 2007, you should install the update.

Why do I have to install the update?

Installing the update helps protect against exploits of this issue that may be developed.

How long will it take?

The update should take no more than a few minutes, although the exact time depends on the speed of your Internet connection.

What if I don't install the update?

Each time you sign in to Yahoo! Messenger, you will be prompted to update. If you choose not to update and you have not updated via this page, the vulnerability will still exist.

I'm a technical user. What is the CLSID and exact version of the control that contains the fix?

There are two affected DLLs. The first DLL is kdv_v32M.dll and the version is 3.2.0.2 The second DLL is ywcvwr.dll and the version is 2.0.1.9.