An unpatched zero-day flaw in Yahoo Messenger allows remote attackers to fiddle with any user’s status message – allowing malware to be spread, Bitdefender security researchers revealed on Friday.
Vulnerable clients are found in version 11.x of Messenger, including the freshly released 18.104.22.168-us version.
The reason the status update vector is so dangerous boils down to trust, the researchers said. Because status updates only go out to a user’s small group of friends, those friends are likely to click through, and that’s when the nastiness begins.
Bitdefender offered a possible scenario:
The victim's status message is swapped with an attention-getting text that points to a page hosting a zero-day exploit targeting the IE browser, the locally installed Java or Flash environments or even a PDF bug, to mention only a few. Whenever a contact clicks on the victim's status message, chances are they get infected without even knowing it. All this time, the victim is unaware that their status message has been hijacked.
The exploit delivers its payload when the attacker simulates sending a file to the user.
The bogus file tricks Messenger into loading an iFrame that then swaps the status message for whatever garbage the attacker wants to load, including a potentially “dubious” link, as Bitdefender describes it.
The iFrame comes over as a regular message from another Yahoo Instant Messenger user, even if the user isn’t in the victim’s contact list.
Another way to turn the exploit into a money-maker is through affiliate marketing, where sites use custom links to pay affiliates for click-throughs or purchases, Bitdefender noted:
Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.
The exploit’s already on the prowl, with Bitdefender having positively identified attacks in the wild.
Any users who can receive messages from contacts outside of their lists are “100% vulnerable,” the security firm says.
To protect themselves, Yahoo users should set Yahoo Messenger to “ignore anyone who is not in your Yahoo! Contacts.”
Note: This is off by default.
Maybe Yahoo might want to consider turning that on by default, hmm?