New zero-day Yahoo Messenger exploit allows malware to spread via hijacked status updates

Filed Under: Featured, Malware, Vulnerability

Yahoo MessengerAn unpatched zero-day flaw in Yahoo Messenger allows remote attackers to fiddle with any user's status message - allowing malware to be spread, Bitdefender security researchers revealed on Friday.

Vulnerable clients are found in version 11.x of Messenger, including the freshly released 11.5.0.152-us version.

The reason the status update vector is so dangerous boils down to trust, the researchers said. Because status updates only go out to a user's small group of friends, those friends are likely to click through, and that's when the nastiness begins.

Bitdefender offered a possible scenario:

The victim's status message is swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments or even a PDF bug, to mention only a few. Whenever a contact clicks on the victim's status message, chances are they get infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked.

The exploit delivers its payload when the attacker simulates sending a file to the user.

The bogus file tricks Messenger into loading an iFrame that then swaps the status message for whatever garbage the attacker wants to load, including a potentially "dubious" link, as Bitdefender describes it.

The iFrame comes over as a regular message from another Yahoo Instant Messenger user, even if the user isn't in the victim's contact list.

Another way to turn the exploit into a money-maker is through affiliate marketing, where sites use custom links to pay affiliates for click-throughs or purchases, Bitdefender noted:

Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.

The exploit's already on the prowl, with Bitdefender having positively identified attacks in the wild.

Any users who can receive messages from contacts outside of their lists are "100% vulnerable," the security firm says.

To protect themselves, Yahoo users should set Yahoo Messenger to "ignore anyone who is not in your Yahoo! Contacts."

Note: This is off by default.

Maybe Yahoo might want to consider turning that on by default, hmm?

, , , , , ,

You might like

5 Responses to New zero-day Yahoo Messenger exploit allows malware to spread via hijacked status updates

  1. DOH! · 866 days ago

    To protect themselves, Yahoo users should set Yahoo Messenger to "ignore anyone who is not in your Yahoo! Contacts."

    Note: This is off by default.

    Maybe Yahoo might want to consider turning that on by default, hmm?

    Might be nice to have instructions on how to do this.

  2. viz · 865 days ago

    no worries,do not use yahoo messenger~ use skype then..

  3. alex cotta · 864 days ago

    this isnt news to me i noticed this problem around the start of 2011 thank to the help of lousy spam on a daily basis

    i should mention that the mobile yahoo agent for android really need a makeover and IMHO is more widely insecure than the desktop

    you can create a stack overflow within the app that could event in temporary control of your android phone (**battery pull**)

  4. jvc · 864 days ago

    i doubt it is only limited to status message links. I do NOT use yahoo for many security reasons. including Facebook linking which only adds to the fun when it comes to cleaning up your computer

  5. Robert Wurzburg · 864 days ago

    In Internet Explorer, set this to disabled in all zones under Security tab:

    Launching programs and files in an IFRAME

    You may have to click on Custom to do this. The default settings in Internet Explorer
    are insufficient to prevent many types of exploits.

    This may offer some protection against this type of exploit.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.