back to article Yahoo! won't! fix! emoticon! exploit! in! death! row! Messenger!

Hacker Julien Ahrens says Yahoo! Messenger contains a remote code execution hole that the Purple Palace won't fix. The buffer overflow holes (CVE-2014-7216) will keep bleeding, Ahrens says, because Yahoo! has told him the relevant app is end-of-life and therefore low on Yahoo!'s to-do list. Yahoo! has been contacted for …

  1. Charles Manning

    Ummm

    So you have to change a file (the xml file) to compromise this.

    If you have access to change files, then surely you could just change an executable file anyway?

    1. Antonymous Coward

      Re: Ummm

      I presumed that at least one of those "two different [undisclosed] directories" the PoS looks for "emoticons.xml" within would be of the downloaded archive?

      ...just a guess though... Haven't used it for well over a decade, don't know anyone who uses it any more, wont be looking into it any further.

      (Mental note: Remember Yahoo! belongs on the Adobe list.)

    2. Old Handle

      Re: Ummm

      Not totally clear, but I think he's saying those files would be changed automatically when a user installed an emoticon pack. Or maybe replacing one of those files is how you install an emoticon pack. Either way, it's bad since this isn't something people would realize could be dangerous.

      I hope that by now people understand that they shouldn't install EXEs unless they trust the source (and if not, they kinda of deserve what they get), but if you write your application in such a way that a file they would think of as "content" can pwn them, you've broken an unwritten rule of how computers are supposed to work.

      1. Mark 85 Silver badge

        Re: Ummm

        The problem here and with a lot of malware is "trust the source". How does Joe Average-User know to trust the source? Most people seem to believe that: a) if it's on the Internet, it must be true b) if they get file off the Internet, it must be ok. c) Nigeria must be filled with rich Generals and Princes who have died recently.

        If the average user were half as skeptical as those us with awareness (not all IT types are aware of threats), malware would probably become unprofitable for the miscreants.

  2. chivo243 Silver badge
    Unhappy

    Yahoo jettisoned messenger long ago

    There has been no version for OSX for quite a while now. The only option to use Yahoo messenger is to use the weird built in web version in Yahoo webmail, or use OSX Messages configured for your Yahoo account.

    Pity, I liked the BUZZ feature of the old messenger, it came in handy many times.

    1. Morrolan

      Re: Yahoo jettisoned messenger long ago

      Adium still works with Y!m accounts on OS X.

  3. Graham Marsden
    WTF?

    Parsing problem...

    ... is that "row" to rhyme with "now"...

    ... or "row" to rhyme with "no"?!

  4. stevie.dunn

    pidgin

    im using pidgin messenger on ubuntu 15.04 to connect with yahoo mates - does this affect pidgin?

    yahoo messenger defintely a dinosaur!

    1. Anonymous Coward
      Anonymous Coward

      Re: pidgin

      >does this affect pidgin?

      Nope. Nor Trillian. Nor Miranda. Nor Kapote. Nor Jitsi... etc.. etc..

      >yahoo messenger defintely a dinosaur!

      Yup. See above.

    2. Paul Crawford Silver badge

      Re: pidgin

      I used to use pidgin and it worked well. But my (few) mates all deserted MSN and Yahoo to FB, so I just ignore it now.

  5. ElReg!comments!Pierre Silver badge

    The article is a bit unclear

    What I thought by reading the title was that Yahoo won't fix messenger as they don't work on it or distribute it anymore (EoL, i.e. "dead" software rarely receives security updates; I've got a couple Win2K boxes in the lab that can confirm this.); I'd be reasonnably OK with that, killing the app by preventing it from connecting to the network would be good security-wise but disastrous customer-satisfaction-wise, tough choice.

    But reading on it appears they claim emoticon packs are not Yahoo's, so the insecure way the messenger handles them is none of their concern? That would be extremely un-OK.

    So, which is which? Or maybe a little bit of column A, a large glob of column 'we don't give a shit, use the web interface already so that we can show you ads'?

    Note that I don't care terribly much, I've never used Y!Messenger or any instant messenger (other than IRC, episodically), I just don't have a use for them.

  6. James 100

    Dead app?

    It's depressing that Yahoo gave up on the service years ago - dropping the iOS client, for example (then third party ones slowly succumbed to bitrot) - it was actually pretty nice. I have three friends who still use it almost exclusively, too; I suppose I'll have to try to nudge them onto something still supported now.

    Good work Mayer: are there ANY bits of Yahoo you aren't in the process of breaking now?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019