Yahoo is shipping a security update that fixes a couple of holes in the way its Yahoo Messenger client handles webcams. Here's a link to an online news story about the holes from earlier in the month.
At least one of the holes can result in a "buffer overflow" condition, a type of vulnerability that can often result in arbitrary code execution ? meaning your PC could be completely compromised.
Here's what Yahoo's alert says:
"Some impacts of a buffer overflow might include the introduction of executable code, being involuntarily logged out of a Chat and/or Instant Messaging session, and the crash of an application such as Yahoo! Messenger. For this specific security issue, these impacts could only be possible if an attacker is successful in prompting the Messenger user to accept a webcam invitation."
So, as always, be careful what you click ? it's never a good idea to accept any invitation from someone you don't know. And, even if you do know the name, if the invitation seems hinky or out of character for that person, it may be dangerous, so steer clear or at least validate that the invitation is really from that person.
You're at risk if you haven't updated your Yahoo Messenger client since August 21, 2007. (If you're client was installed that day or earlier, you should get the update.)
You can get that update manually via Yahoo's alert page. Alternately, the company will automatically send it out to users over the coming weeks. Personally, I wouldn't wait.
This one was spotted by Ryan Naraine over at his Zero Day blog.
