Another Yahoo! ActiveX hole

[Cesar <cesarc56 () yahoo com>]

Some weeks ago i found another hole in a Yahoo!
ActiveX, i haven't told Yahoo! yet about this and i
just noticed this:

Yahoo! silently (Yahoo! didn't post any kind of alert)
fixed another hole in "YInstStarter Class" ActiveX
(heap overflow in "AppId" initialization parameter),
this ActiveX is installed in order to download Yahoo!
Messanger. If you have downloaded Yahoo! Messenger
before 09/09/03 then you are vulnerable and you should
remove the ActiveX or go to Yahoo! Messenger download
site and update the ActiveX.

To remove the ActiveX:
-Go to: %SystemRoot%\Downloaded Program Files\
-Right Click on: YInstStarter Class
-Left Click: Remove

I thought Yahoo! was serious about security!!! Doh!!!
i have Yahoo! emails accounts:)


To reproduce the overflow just copy and paste the
following:

<OBJECT ID='YInstStarter'
CLASSID='CLSID:30528230-99F7-4BB4-88D8-FA1D4F56A2AB' 
> <PARAM NAME='AppId' Value='verylongstringhere'>
<PARAM NAME="Test" Value="0"><!--not necessary, but
what this does here!!! Test?-->
</OBJECT>


Cesar.

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html