Zero-day vulnerabilities in two popular instant messaging products could put millions of computer users at risk of malicious hacker attacks.
This is the third major security hiccup found in Yahoo Messenger over the last few months.
Separately, Secunia has posted an alert for a security bug in AOL Instant Messenger that can be exploited by malicious people to execute arbitrary script code.
Input passed to the Notification window is not properly sanitised before being displayed to the user. This can be exploited to execute a limited amount of arbitrary script code in the Local Zone (My Computer) context by e.g. sending a specially crafted message to another user.
Successful exploitation requires that the target user is e.g. chatting with a different user so that the Notification window is shown and that the attacker is in the Buddy List of the target user or the target user accepts the IM message from the attacker.
The AIM flaw was confirmed in version 126.96.36.199. Other versions may also be affected.
Secunia recommends that AIM users disable "New IMs arrive" option in the "Notifications" settings until America Online ships a patch.