Attackers could exploit a Yahoo Widgets flaw to run malicious code on compromised Windows machines, but Yahoo has released a security update to fix it.
Yahoo Widgets is a platform that allows users to run small,
Attackers can exploit this to cause a stack-based buffer overflow by passing an overly long string (greater than 512 bytes) to the affected method, Danish vulnerability clearinghouse Secunia said in an advisory. Specifically, the firm said, the problem is a boundary error within the YDPCTL.YDPControl.1 (YDPCTL.dll) ActiveX control when handling the "GetComponentVersion()" method.
Secunia rated the flaw highly critical because successful attackers can run malicious code on compromised computers. The firm recommended users update to Yahoo Widgets version 4.0.5.
In its security advisory, Yahoo said users running a version of Yahoo! Widgets obtained before July 20, 2007 on a Windows PC need to download the updated version.
Of the potential damage, Yahoo said, "Some impacts of a buffer overflow might include the introduction of executable code and the crash of an application such as Internet Explorer. For this specific security issue, these impacts could only be possible if an attacker is successful in prompting someone to view malicious HTML code, most likely executed by getting a person to visit their Web page."