Two brand new vulnerabilities for Yahoo! Messenger have been published on couple of security mailing lists. Both vulnerabilities are boundary errors in two ActiveX controls that come with Yahoo! Messenger: Webcam Upload (ywcupl.dll) and Webcam Viewer (ywcvwr.dll).

PoC exploits for vulnerabilities have been published as well and they allow execution of arbitrary code. Published PoCs just run Windows calculator (calc.exe), but it is trivial to change the shellcode so we can expect some attacks soon.

At the moment, the best mitigation is to set the kill bits for affected ActiveX controls: DCE2F8B1-A520-11D4-8FD0-00D0B7730277 and 9D39223E-AE8E-11D4-8FD3-00D0B7730277.

Thanks to Joshua G. and roseman for alerting us about this.

Update: Yahoo released a patched version of version of Yahoo! Messenger that addresses these vulnerabilities. For additional information and update instruction, please see http://messenger.yahoo.com/security_update.php?id=060707.