CERT Warns of Yahoo! Messenger Vulnerabilities

It may be a good time to firm up your organization's policies on use of the Yahoo! instant messaging client.

The CERT/CC issued an alert Wednesday about multiple vulnerabilities in the Yahoo! Messenger client for Windows. Among other problems, one flaw could allow malicious users to execute arbitrary code with the privileges of the victim user.

Yahoo! patched a number of problems in February with version 5,0,0,1058, and a few more recent problems with versions 5,0,0,1065 and 5,0,0,1066 in late May. However, the CERT/CC warns that a problem with Yahoo!'s distribution server ended with some users receiving version 5,0,0,1034, which has none of the patches, after May 22.

Although the CERT/CC said that the Yahoo! distribution server problem had been fixed, an attempt by ENT to move to the latest version on Wednesday failed. The Yahoo! server offered an alternative download location that installed another pre-February patch version -- 5,0,0,1045.

A subsequent attempt resulted in a successful install of 5,0,0,1066, but serves as a warning for administrators to make sure that users verify that they have installed the correct version.

Yahoo! is one of several popular instant messaging clients offered as free Internet downloads. In a recent report, an analyst at Gartner warned IT managers to carefully monitor use of instant messaging clients in the enterprise as the software could become a springboard for future multi-pronged attacks along the lines of Code Red and Nimda. A vulnerability in Microsoft's MSN Messenger prompted the Gartner warning.

The CERT/CC bulletin is available here:

Yahoo! Messenger update can be obtained here:

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.


  • Google Goes Live with Managed Service for Microsoft Active Directory

    Google's Managed Service for Microsoft Active Directory is now a "generally available" service, according to a Thursday Google announcement.

  • Dell Sells RSA Assets for $2 Billion

    Dell's RSA security solutions businesses, including the RSA Conference, were bought by a consortium of companies for about $2 billion, according to Tuesday announcements.

  • How To Get Started as a Windows Insider

    Microsoft's Windows Insider program is invaluable for IT pros who want to test drive new Windows 10 features before the update rolls out to their entire organization. If you haven't already signed up to be an Insider, here's how to do it.

  • Old Fashioned Mics

    Microsoft Preps for RSA Conference with Multiple Security Product Announcements

    Microsoft announced various enterprise security solution product milestones this week in advance of the forthcoming RSA Conference, which will start on Feb. 24.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.