Yahoo! Messenger users have been warned to update their IM software following the discovery of a serious security bug.

The vulnerability - which involves an unspecified buffer overflow bug in the IM client's YMailAttach ActiveX control - creates a potential means for hackers to take control of Windows (and only Windows) PCs.

Users running Yahoo! Messenger clients released before 2 November are advised to update to the latest version of the software via the Yahoo! download site here. Unless they apply the update, users of Yahoo! Messenger 5,6,7 and are all at risk from attack in cases where they are tricked into visiting maliciously constructed websites that take advantage of the vulnerability.

Both Yahoo! (here) and US CERT (here) have published advisories explaining the problem in greater depth. US CERT lists a number of workarounds, such as disabling the affected ActiveX control in IE, designed to guard against attack for those not yet ready to upgrade. ®

Related stories

• Yahoo! In! Ninth! Circle! Of! Security! Hell! (20 September 2007)
• Yahoo! Messenger! users! face! attack! by! video! (16 August 2007)
• Yahoo! patch squashes messenger bug (8 June 2007)
• Buggy ActiveX controls menace Yahoo! Messenger (7 June 2007)
• MSN password stealer released as torrent (23 January 2007)
• Acer 'preloads vulns' onto notebooks (10 January 2007)
• BT Yahoo! customers stuck with old passwords (21 December 2006)
• All I want for Christmas... (20 December 2006)
• Yahoo!, Microsoft launch new messenger services (20 June 2006)
• IM worm installs rogue browser (22 May 2006)
• Yahoo! phishing warning (24 January 2006)
• Santa worm is coming to IM (22 December 2005)
• Yahoo! IM! in! flaw! flap! (13 January 2004)
• EDS bans IM (14 May 2002)