Yahoo has issued a security update for a flaw in Messenger's ActiveX control.
The vulnerability is located in YMailAttach Active X control, which is provided by ymmapi.dll, according to an advisory released by US-CERT (the United States Computer Emergency Readiness Team).
An attacker can exploit the vulnerability to execute arbitrary code onto an affected PC, causing web browsers to crash. To infect a PC, a malicious user would have to convince a victim - most likely by using social engineering - to view a specially crafted HTML email message or attachment, according to US-CERT.
Yahoo urged users who have a Windows version of Messenger obtained before Nov. 2 to update. No exploit code has been released for the flaw, according to a Yahoo advisory.
Messenger users will be prompted to update every time they sign on, according to the Sunnyvale, Calif. web giant.
US-CERT also issued a workaround for the flaw, advising users to disable ActiveX controls in the Internet Zone.
Click here to email Online Editor Frank Washkuch Jr.