Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Wriggles Through Yahoo! Mail Flaw

Posted by ryuzaki0 on from the descriptive-imagery dept.

Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."

13 of 186 comments (clear)

  1. Fixed. by Se7enLC · · Score: 3, Insightful

    Fixed: At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo said it had come up with a fix for the flaw, which it said had affected very few of its customers.

    I have to say I agree with the low threat level. All the virus does is propogate and collect email addresses, and only on yahoo. If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?

  2. First reported by Billosaur · · Score: 4, Insightful

    Yesterday by The Register

    My question is: who thought it was a good idea to enable JavaScript in emails? Someone at Yahoo! wasn't paying attention to basic security.

    --
    GetOuttaMySpace - The Anti-Social Network
  3. Re:Very interesting by o'reor · · Score: 2, Insightful

    The article only mentions the systems affected (only Windows systems apparently) but not the browsers. However, it is the browser that executes the Javascript code, which steals the e-mail addresses from the Yahoo! address book. So, are they sure that a Linux-based system with Mozilla (such as mine) would not be affected by the worm ?

    --
    In Soviet Russia, our new overlords are belong to all your base.
  4. Symantec by omeomi · · Score: 3, Insightful

    Symantec is rating the threat a '2.'

    The lowball number is interesting, especially given the fact that Symantec is the company charged with the task of keeping an outbreak like this from happening:

    Symantec to scan Yahoo Mail for viruses

    --
    ZuluPad, the wiki notepad on crack
    1. Re:Symantec by Justin+Shreve · · Score: 2, Insightful

      The article you linked to mentions that it is Symantec's job to scan Yahoo attachments for viruses.

      This Worm that we are talking about though is not even passed via attachments so there is no way (with the agreement mentioned in that article) that Symantec can actually clean it for Yahoo.

      "Unlike its predecessors, which would require the user to open an attachment in order to launch and propagate, JS-Yamanner makes use of a security hole in the Yahoo! web mail program in order to spread to other Yahoo! users."

      This bug will have to be fixed server side by cleaning out the Javascript that is still being allowed in email messages. This is something I doubt Yahoo gave Symantec access to do.

  5. Exploits a javascript bug? by NynexNinja · · Score: 2, Insightful

    The article is lacking many details, like specifically which browsers seem to be vulnerable to this problem, or even if this is a browser bug that it is exploiting.... It could be a server side problem they are exploiting, or a client side browser bug. It says the vulnerable systems are every Windows OS, so it appears to be a client side problem with Internet Exploder, although from the article it is impossible to determine this.

  6. "a flaw in JavaScript"? by bcmm · · Score: 2, Insightful

    A flaw in whose JS implementation then?

    --
    # cat /dev/mem | strings | grep -i llama
    Damn, my RAM is full of llamas.
  7. Your "JavaScript"? by Elixon · · Score: 3, Insightful

    "flaw in JavaScript" - you really mean "flaw in JavaScript" or flaw in the implementation of the so-called "JavaScript"? I mean - all browsers with "JavaScript" are affected? Including mobile devices, linuxes, unixes...?

    --
    Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
  8. Re:This is an example of webmail's suckiness by oni · · Score: 2, Insightful

    Using cryptographic signatures to verify that an email is really from your friend, before you trust its contents, simply isn't an option.

    well, the email *was* from his friend. His friend was infected. If his friend was using a standalone email client and using cryptographic signatures, then most likely, his friend would have entered his password for PGP or whatever, and that password would be stored in memory, and then when the virus took over his account and started sending mail, the virus would sign the mail.

    So in this particular instance, I don't see how a standalone client would help things.

  9. Why isn't Yahoo saying anything about this? by shotgunefx · · Score: 2, Insightful

    Don't see anything on the home page, my.yahoo, or even the login page of yahoo mail.

    That's pretty shitty. How hard would it be to add a warning and some helpful directions to the template of the login page?

    --

    -William Shatner can be neither created nor destroyed.
  10. the creators website is still up by Anonymous Coward · · Score: 1, Insightful


    and still collecting all those addresses

    http://www.av3.net/

    and the whois is of course using that American whois "privacy" service, perhaps the FBI would like to sift through their computers, iam sure a lot of online crime could be cleared up quite quickly

  11. Re:This is an example of webmail's suckiness by bobcat7677 · · Score: 2, Insightful

    I agree with the parent on the bullet points, but I think the conclusion "death to webmail" is barking up the wrong tree. The real issue goes back to point number two: rendered in too powerful an environment. If e-mail was ALWAYS treated as text, instead of trying to support HTML and mime types blah blah then having a safe webmail interface would simply mean a control that shows the text as text only with no possible execution. Simple and what e-mail was always meant to be. If you need to send "pretty" stuff then send it as an attachment and let that be what it is.

  12. Re:This is an example of webmail's suckiness by Anonymous Coward · · Score: 2, Insightful

    I don't have a problem with rendering HTML in webmail or any other mail. Javascript is not HTML, however, and should NEVER be activated with webmail. A proper webmail client needs to filter out all script tags before display. They are not needed.