Yahoo Messenger users are vulnerable to two security holes, the more serious of which could lead to the execution of malicious code on a user's system, Yahoo has warned.

An update available from Yahoo's site fixes the flaws, which affect versions of Messenger up to 6.0.0.1750, and would be found in any version downloaded before 17 February, Yahoo said in an advisory.

"Under a very specific set of circumstances, an executable file could be unknowlingly launched in Yahoo! Messenger. As a result, users could be vulnerable to running a malicious program on their computer," Yahoo said. The bug, a spoofing flaw, was discovered by Danish security firm Secunia.

Affected versions of Messenger don't display long filenames correctly in the file transfer dialogue windows, Secunia said. "This can be exploited to trick users into accepting and potentially executing malicious files."

For the exploit to work, the option "Hide extension for known file types" must be enabled in Windows - as it is by default, Secunia said. The bug's seriousness is mitigated by the need for user interaction in a successful exploit, but it is dangerous enough that companies shouldn't delay upgrading, Secunia said.

A second flaw, exploitable only by local users, could allow an attacker with low privileges to execute malicious code with the privileges of another user, Secunia said. An attacker can exploit this flaw by running Messenger's Audio Setup Wizard, according to Secunia. Both bugs are fixed in the update.