Yahoo Messenger 0-Day Exploit
Friday, December 9, 2011
Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user's status message. The vulnerability was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer's report about unusual Yahoo Messenger behavior.
The zero-day exploit is present in versions 11.x of the Yahoo Messenger client - including the very last released version. The flaw appears to be located in the application's file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.
"An attacker can write a script in less than 50 lines of code to malform the message sent via the YIM protocol to the victim," said Bogdan Botezatu, an e-threats analysis & communication specialist at BitDefender. "Status changing appears to be only one of the things the attacker can abuse. We're currently investigating what other things they may achieve," he added.
The attacker sends a supposed file to a target that is actually an iframe that swaps the status message for the attacker's customised text. If successfully executed, a victim will have no indication that his or her status message has been rewritten. The ruse might be used to gain affiliate incomes by promoting dodgy sites as well as directing users towards sites loaded with exploits or scareware scams.
Keep reading