Ummm
So you have to change a file (the xml file) to compromise this.
If you have access to change files, then surely you could just change an executable file anyway?
Hacker Julien Ahrens says Yahoo! Messenger contains a remote code execution hole that the Purple Palace won't fix. The buffer overflow holes (CVE-2014-7216) will keep bleeding, Ahrens says, because Yahoo! has told him the relevant app is end-of-life and therefore low on Yahoo!'s to-do list. Yahoo! has been contacted for …
I presumed that at least one of those "two different [undisclosed] directories" the PoS looks for "emoticons.xml" within would be of the downloaded archive?
...just a guess though... Haven't used it for well over a decade, don't know anyone who uses it any more, wont be looking into it any further.
(Mental note: Remember Yahoo! belongs on the Adobe list.)
Not totally clear, but I think he's saying those files would be changed automatically when a user installed an emoticon pack. Or maybe replacing one of those files is how you install an emoticon pack. Either way, it's bad since this isn't something people would realize could be dangerous.
I hope that by now people understand that they shouldn't install EXEs unless they trust the source (and if not, they kinda of deserve what they get), but if you write your application in such a way that a file they would think of as "content" can pwn them, you've broken an unwritten rule of how computers are supposed to work.
The problem here and with a lot of malware is "trust the source". How does Joe Average-User know to trust the source? Most people seem to believe that: a) if it's on the Internet, it must be true b) if they get file off the Internet, it must be ok. c) Nigeria must be filled with rich Generals and Princes who have died recently.
If the average user were half as skeptical as those us with awareness (not all IT types are aware of threats), malware would probably become unprofitable for the miscreants.
There has been no version for OSX for quite a while now. The only option to use Yahoo messenger is to use the weird built in web version in Yahoo webmail, or use OSX Messages configured for your Yahoo account.
Pity, I liked the BUZZ feature of the old messenger, it came in handy many times.
What I thought by reading the title was that Yahoo won't fix messenger as they don't work on it or distribute it anymore (EoL, i.e. "dead" software rarely receives security updates; I've got a couple Win2K boxes in the lab that can confirm this.); I'd be reasonnably OK with that, killing the app by preventing it from connecting to the network would be good security-wise but disastrous customer-satisfaction-wise, tough choice.
But reading on it appears they claim emoticon packs are not Yahoo's, so the insecure way the messenger handles them is none of their concern? That would be extremely un-OK.
So, which is which? Or maybe a little bit of column A, a large glob of column 'we don't give a shit, use the web interface already so that we can show you ads'?
Note that I don't care terribly much, I've never used Y!Messenger or any instant messenger (other than IRC, episodically), I just don't have a use for them.
It's depressing that Yahoo gave up on the service years ago - dropping the iOS client, for example (then third party ones slowly succumbed to bitrot) - it was actually pretty nice. I have three friends who still use it almost exclusively, too; I suppose I'll have to try to nudge them onto something still supported now.
Good work Mayer: are there ANY bits of Yahoo you aren't in the process of breaking now?