Yahoo! IM Users Should Upgrade Immediately

People who chat online using Yahoo! Messenger software should upgrade their program. The company has pushed out a fix to plug two newly discovered security holes.

The two critical vulnerabilities reside in Yahoo! Messenger versions 8.1.0.249 and earlier. The flaws are so serious that computers running the software could be hijacked with little cooperation or action on the part of the user, aside from perhaps the user unwittingly going to visit a malicious Web page.

Yahoo! Messenger users should download and install the latest version immediately, as instructions for exploiting these flaws already have been posted online.

Kudos to Yahoo! for providing a fix for these dangerous flaws within hours after exploit code was posted online. However, I fail to understand why Yahoo! isn't prompting all users to upgrade. The company's security advisory states: "Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo! Messenger upon signing into the service."

As anti-virus vendor F-Secure notes, Yahoo! would aid its users by posting a big honking notice on its homepage about the problem.