Yahoo! Widgets YDP YDPCTL.YDPControl.1 ActiveX (YDPCTL.dll) Buffer Overflow
High Nessus Plugin ID 25798
SynopsisThe remote Windows host has an ActiveX control that is affected by a buffer overflow vulnerability.
DescriptionThe remote host contains the YDP ActiveX control, distributed as a part of Yahoo! Widgets.
The version of this control installed on the remote host reportedly fails to validate input to the 'GetComponentVersion' method before storing it in a 512-byte buffer. If an attacker can trick a user on the affected host into visiting a specially crafted web page, he may be able to leverage this issue to execute arbitrary code on the host subject to the user's privileges.
SolutionEither disable the use of this ActiveX control from within Internet Explorer by setting its kill bit or upgrade to Yahoo! Widgets version 4.0.5 (version 2007.7.13.3 of the YDP control itself) or later.