Vulnerability Note VU#101676
Yahoo! Music Jukebox YMP Datagrid ActiveX control stack buffer overflows
The Yahoo! Music Jukebox YMP Datagrid ActiveX control contains multiple stack buffer overflows, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Yahoo! Music Jukebox is a music player for Microsoft Windows, which includes multiple ActiveX controls. The YMP Datagrid ActiveX control, which is provided by datagrid.dll, contains multiple stack buffer overflows. For example, the AddImage() and AddButton() methods are vulnerable.
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system.
Apply an update
This vulnerability is addressed in Yahoo! Media Jukebox version 2.2.2.058, which comes with datagrid.dll version 220.127.116.11. This update may be applied with the automatic update functionality of the Yahoo! Media Jukebox software, or you can install it manually. Please see the Yahoo! Music Jukebox Security Update for more details.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Yahoo, Inc.||Affected||-||13 Feb 2008|
CVSS Metrics (Learn More)
This vulnerability was publicly disclosed by Krystian Kloskowski
This document was written by Will Dormann.
- CVE IDs: CVE-2008-0623 CVE-2008-0624
- Date Public: 02 Feb 2008
- Date First Published: 05 Feb 2008
- Date Last Updated: 13 Feb 2008
- Severity Metric: 21.42
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.