eWeek Security Watch
Advertisement
Advertisement
May 6, 2008 12:24 PM

Yahoo Ships Silent Fix for ActiveX Flaw



Yahoo has silently pushed out a patch for a critical vulnerability affecting users of its Yahoo Assistant browser add-on.

Yahoo Ships Silent Fix for ActiveX Flaw According to an alert from "Sowhat," a researcher at Nevis Labs, the vulnerability "allows attackers to execute
arbitrary code on vulnerable installations."

Yahoo Assistant is marketed to Chinese users as a security product featuring tools to repair Internet Explorer settings, provide anti-virus protection and block pop-up advertising.

From the security advisory:

The specific flaw exists in the ynotifier.dll ActiveX control. Successfully exploiting this vulnerability allows attackers to execute arbitrary code on vulnerable installations. Successful exploitation requires that the target user browse to a malicious web page.

"During the instantiation of the Ynotifier COM object through IE, there [is] an exploitable memory corruption condition," according to the alert, which includes proof-of-concept code. "By taking advantage of some heap spraying technique, the attacker can exploit this vulnerability to execute arbitrary code."

Create, Communicate, Collaborate with IT Professionals at Ziff Davis Enterprise IT Link

Posted by Ryan Naraine on May 6, 2008 12:24 PM

| Comments (0) | del.icio.us | digg.com | Trackback | Post a Comment
TrackBack

TrackBack

http://securitywatch.eweek.com/cgi-bin/mte/mt-tb.cgi/13525

Post a Comment

 
 


RSS Syndication

Breaking News

Advertisement

Apple

Browsers

Cisco

Corporate espionage

Disaster Planning

eBay

Exploits and Attacks

Flaws

Google

Identity Theft

Intrusion Detection/Prevention

Mergers and Acquisitions

Microsoft Windows

Open Source

Oracle

Patches

Phishing and Fraud

Privacy

Product Reviews

Rootkits

Spam

Virus and Spyware

Vulnerability Research

Advertisement
Security Watch     Contact Us | Advertise | Site Map
Ziff Davis Enterprise

Ziff Davis Enterprise Home | Contact Us | Advertise | Link to Us | Reprints | Magazine Subscriptions | Newsletters
RSS Feeds | White Papers | ROI Calculators | Tech Podcasts | Tech Video |

Baseline | Careers | Channel Insider | CIO Insight | DesktopLinux | DeviceForge | DevSource | eSeminars |
eWEEK | LinuxDevices | Linux Watch | Microsoft Watch | Mid-market | Networking | PDF Zone |
Publish | eWeek Security | Strategic Partner | Web Buyer's Guide | Windows for Devices

Developer Shed | Dev Shed | ASP Free | Dev Articles | Dev Hardware | SEO Chat | Tutorialized | Scripts |
Code Walkers | Web Hosters | Dev Mechanic | Dev Archives | IT Marketplace | igrep

Use of this site is governed by our Terms of Use and Privacy Policy

Copyright ©1996-2007 Ziff Davis Enterprise, Inc. All Rights Reserved. Security Watch is a trademark of Ziff Davis Enterprise, Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Enterprise Inc. is prohibited.
Ziff Davis Enterprise