Yahoo! Messenger configures the 'ymsgr:' URI handler when it is installed. The handler invokes YPAGER.EXE with the supplied parameters. YPAGER.EXE accepts the 'call' argument; it is used for starting the 'Call Center' feature.



There is a stack overrun condition in the 'Call Center' component that may be exploited through a specially constructed URI. It has been reported that the stack frame of the affected function will be corrupted if the argument to the 'call' parameter passed to YPAGER.EXE is of 268 bytes or greater in length.

Attackers may exploit this vulnerability to execute arbitrary code.

Remote: Yes

Exploit: No

Source: http://www.xatrix.org/article1564.html