Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user's status message. Hijacked status updates are a handy way to persuade a victim's contacts to click on a link and lead them to a dangerous website. Worse still, the bug in version 11.x of the Messenger client …
Is a weeping sore.
My wife's and dozens of other mail accounts got compromised through a messenger flaw that seems to bypass the normal password challenge. It seems you cannot turn the messenger to mail linkage off at all.
Keep! up! the! good! work!
Point of Clarification
When i read this article my first thought was:
"Duh, don't accept file transfers from people you don't know"
When you actually read the MalwareCity blog that the article points to it clarifies that the exploit is actually injected into and run from the file transfer accept/deny dialog, so once you've got the request you're already 'sploited.
The el reg article says they're trying to send a file that's actually an iframe, but actually that iframe is already automatically sent and run.
The Bottomline action of denying off-list messages is still the same, but i think it's an important point of clarification.
I've never installed any of the official messengers since 2004. Dabbled with Miranda IM back then and haven't looked back.
Anyone use that crap?
This particular issue allows an iframe to be injected into an instant message. The iframe is then executing JS that is accessible in the IM (which looks something like a pastebin by the name of edKmYV3h). If you look very closely this issue with the JS (and by extension of messenger's functionality, outside-of-IM controls) becomes much more concerning. Currently, although unmentioned, this allows someone to execute scripts on a victim to send unsolicted instant messages and other packets from the victim, close the client, possibly set or read messenger preferences.
All said and done, Messenger is a prime candidate for a botnet until this is patched.
yahoo knew ages ago but did nothing
I had a friend whos computer yahoo account was compromised 6000 spam messages a week hed get. After phoning yahoo they said they couldn`t fix it but attempted to block the sender who had numbers after the name from 1-100 even though i blocked them it new names just kept coming up from 1-100.
In the end i created a new account for him.
When i was first alerted he had 27000 e-mails.
Seriously El Reg, When is this joke going to get old?