Less than 24-hours eEye Digital Security released a pre-patch advisory for "high risk" flaws in the Yahoo Messenger software, an unknown hacker has published exploit code for dangerous holes in two ActiveX controls installed by default by the Yahoo Messenger package.
The zero-day exploits (see code here and here) could allow arbitrary code execution under the context of the logged in user. The vulnerabilities were found in ActiveX controls used by the Yahoo Webcam image upload and view utilities.
It is not known if these are in any way related to the eEye discoveries. I have confirmed that these are indeed the same flaws discovered and reported by eEye (working on another story now on how Yahoo screwed up the disclosure process).
According to the Zero Day Tracker, the release of these exploits should be treated very seriously:
ActiveX remote code execution vulnerabilities have very high impacts since the source of the malicious payload can be any site on the Internet. An even more critical problem is generated when clients are administrators on their local hosts, which would run the malicious payload with Administrator credentials.
In the absence of a patch, the best thing to do is to uninstall and stop using the vulnerable program.
If you are not willing to remove Yahoo Messenger, you can killbit the CLSIDs for the Yahoo! ActiveX Control (DCE2F8B1-A520-11D4-8FD0-00D0B7730277,9D39223E-AE8E-11D4-8FD3-00D0B7730277). This will disable calls to these ActiveX controls from Web pages, thereby mitigating these specific vulnerabilities.
[UPDATE: June 7, 2007 @ 3:34 PM] Secunia rates this an "extremely critical" issue and provides more details on the two vulnerabilities:
1. A boundary error within the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Send()" method.
2) A boundary error within the Yahoo! Webcam Viewer (ywcvwr.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Receive()" method.