Yahoo! IM security hole gets patch after website warning

Yahoo! issued a security patch to fix a potential vulnerability in its latest instant messaging software, the company has announced.

The patch repairs a security hole stemming from Yahoo! Messenger's use of the portable network graphics - or PNG - format, an open-source code the program uses to display certain images, such as buddy list avatars.

The most critical issue, a memory problem known as a buffer overflow, could allow specially created PNG graphics to execute malicious programs when a vulnerable application loads an image.

Yahoo! posted a security update on its Yahoo! Messenger site.

"This affects users on the all new Yahoo! Messenger," said Yahoo! spokeswoman Terrell Karlsten. She added that the patch will not change any functionality on the service.

The site pointed specifically to a warning issued last week by the United States Computer Emergency Readiness Team's web site about the PNG vulnerability.

The security problems are in a library that lets applications such as browsers and instant messaging software handle PNG. The library is widely used by programs such as the Mozilla and Opera browsers and various email clients, but has also found its way into Microsoft's Internet Explorer, Apple's Mail software for the Mac OS X and Yahoo! Messenger for Windows. Most of these applications have been patched.

Jim Hu writes for CNET News.com