Yahoo's IM software a hacker's dream

NEWS The latest version of Yahoo's instant messenger software (YIM) contains a series of holes which could allow a hacker to take over a user's PC. The vulnerabilities in the software, which is used by up to 60 million people, allow the unauthorised execution of programs on a YIM user's machine via buffer overflows or injections of Java or Visual Basic script in the instant messenger content tabs. Security specialist Phuong Nguyen, of security firm Vice Consulting, is quoted as saying: "The net impact is to allow a relatively simple opportunity to hijack users' YIM client outright, and use it to attack or intrude into YIM users' supposedly private information systems." A malicious hacker could get hold of a user's ID and password and send it to an email address or internet URL. Malicious code could be buried in HTML pages or emails with text or images which encourage YIM users to click on them. Yahoo has already released a patch (http://messenger.yahoo.com ), but this will temporarily restrict the functionality of the software until the company secures the full version.