Patch/Configuration Management, Vulnerability Management

ActiveX vulnerability hits Yahoo Widgets

Researchers at Secunia have revealed a "highly critical" vulnerability in Yahoo's desktop widgets, the software plug-ins that allow the delivery of a variety of information - weather reports, sports scores and music - to PCs.

The vulnerability could be exploited by remote hackers to cause a DoS attack or take control of an affected system. It's caused by a boundary error within an ActiveX control, according to Secunia.

Malicious code could exploit the flaw to cause a stack-based buffer overflow by passing an overly long string (greater than 512 bytes) when handling certain processes.

Yahoo has created a patch [version 4.0.5] and urged that widgets users and developers apply the patch as soon as possible. The patch is available here.

Secunia confirmed the vulnerability in YDPCTL.dll version 2007.4.13.1 in Yahoo Widgets version 4.0.3, also known as "build 178." Secunia said that other versions of Yahoo Widgets may also be affected.

"Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo Widgets upon launching the application," Yahoo said in an online posting. "If you choose not to update and you have not updated, the vulnerability will still exist."

Don Montgomery, vice president of marketing at Akonix, told that the flaw could be dangerous because of widgets’ wide use.

"Because of prevalence and ubiquity of widgets, an awful lot of desktops are at risk to the vulnerability," he said. "It doesn't take email to download a virus - it can be small footprint code like widgets."

Click here to email West Coast Bureau Chief Jim Carr .


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.