Slashdot Mirror

← Back to Stories (view on slashdot.org)

Worm Wriggles Through Yahoo! Mail Flaw

Posted by ryuzaki0 on from the descriptive-imagery dept.

Jasen Bell writes to mention a ZDNet article about a clever new worm affecting users of Yahoo!'s email service. The virus uses a flaw in JavaScript to infect a computer when an email is opened from the user's web-based mail. From the article: "The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said. Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a '2.' The security vendor uses a 1-to-5 rating system, with '5' as its most severe category."

14 of 186 comments (clear)

  1. Fixed. by Se7enLC · · Score: 3, Insightful

    Fixed: At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo said it had come up with a fix for the flaw, which it said had affected very few of its customers.

    I have to say I agree with the low threat level. All the virus does is propogate and collect email addresses, and only on yahoo. If you have a yahoo email address, you're getting spam anyway, so how will you even know the difference?

  2. First reported by Billosaur · · Score: 4, Insightful

    Yesterday by The Register

    My question is: who thought it was a good idea to enable JavaScript in emails? Someone at Yahoo! wasn't paying attention to basic security.

    --
    GetOuttaMySpace - The Anti-Social Network
    1. Re:First reported by Bogtha · · Score: 3, Informative

      The article is wrong when it claims that it's "a flaw in JavaScript", it's a flaw in Yahoo's webmail. So the answer to your question is almost certainly: nobody thought it was a good idea to enable JavaScript in emails, the developers working on Yahoo's webmail didn't escape things properly and nobody was doing decent QA to catch the mistake the developers made. So basically, it's a management error.

      There doesn't seem to be detailed technical information available anywhere, but it sounds very much like it's just a specialised form of an XSS attack, where you sneak code into the application in such a way that the application doesn't encode it properly for output to another user.

      --
      Bogtha Bogtha Bogtha
  3. Medireview virus attacks yahoo. by leuk_he · · Score: 4, Interesting

    I thought the security of yahoo would have captured a old javascript virus by now. Bu i do not understand: how can this javascript break out the browsers? isn't yahoo just a webmail website? then how would the local pc be affected? why would you have to scan your pc as symantic tells you?

    Ok, the virus can send a lot of e-mails and break the yahoo mail system. or si there something about yahoo mail i do not understand?

    1. Re:Medireview virus attacks yahoo. by larkost · · Score: 4, Informative

      The poster's question is valid. He/she is asking if the JavaScript worm can actually do anything other that work within the browser, as in how can the worm "infect" the computer. The answer is that it can't. It only harvests the email addresses that are on your Yahoo addressbook, and emails itself to them, once again though Yahoo. So everything is done within the browser, and there is no compromise outside the browser's sandbox.

      With a little creativity, this could be extended to grab a file off the HD, and send the data to any site it chose, but it does not sound like that is the case here.

  4. Re:Not everyone affected... by neonprimetime · · Score: 3, Informative

    you could also not open werid emails from people you don't know

    Yeah, but this spreads via your Yahoo! contact list ... and thus I received this worm email "from" one of my friends ... so it's not just coming from random accounts, it's coming from people who have you in their contact list.

  5. Symantec by omeomi · · Score: 3, Insightful

    Symantec is rating the threat a '2.'

    The lowball number is interesting, especially given the fact that Symantec is the company charged with the task of keeping an outbreak like this from happening:

    Symantec to scan Yahoo Mail for viruses

    --
    ZuluPad, the wiki notepad on crack
  6. Re:"This worm is a 2." by BobVH · · Score: 3, Informative

    Just copy-pasted this off symantec:

    Category 5 - Very Severe
    Highly dangerous threat type, very difficult to contain. All machines should download the latest virus definitions immediately and execute a scan. Email servers may need to come down. All three threat metrics must be High.

            * Wild: High
            * Damage: High
            * Distribution: High

    Category 4 - Severe
    Dangerous threat type, difficult to contain. The latest virus definitions should be downloaded immediately and deployed.

            * Wild: High
            * Damage or Distribution: High

    Category 3 - Moderate
    Threat type characterized either as highly wild (but reasonably harmless and containable) or potentially dangerous (and uncontainable) if released into the wild.

            * Wild: High
                or
            * Damage: High and Distribution: High

    Category 2 - Low
    Threat type characterized either as low or moderate wild threat (but reasonably harmless and containable) or non-wild threat characterized by an unusual damage or spread routine, or perhaps by some feature of the virus that makes headlines in the news.

            * Damage: High
                or
            * Distribution: High
                or
            * Wild: Low or Moderate

    Category 1 - Very Low
    Poses little threat to users. Rarely even makes headlines. No reports in the wild.

            * Wild: Low
            * Damage or Distribution: Low

  7. Can't we all just leave each other alone? by NotQuiteReal · · Score: 3, Funny

    Ironically, those of us with no contacts in our yahoo mail make for the best of friends!

    --
    This issue is a bit more complicated than you think.
  8. Here is the Source, Luke. by fatboy · · Score: 3, Informative

    Lameness filter got me. Here is a link.

    --
    --fatboy
  9. Crime and punishment by erroneus · · Score: 3, Interesting

    In short, I believe there should be some very stiff penalties to pay if it is proven that someone has written and deployed malware of this sort. There should be prison time and forfeiture of any money and assets acquired as a result of gains from this activity.

    People often complain that punishment is too severe for this otherwise 'harmless' activity (and often compared to more heinous crimes such as assault, robbery, murder sex/child related crimes) and that damages are quite often exaggerated beyond reason. I can't say much about exaggerated damages, but I can say that in addition to other classifications of crimes, I also consider the following:

    Planned/premeditated or not. Many aspects of the more heinous crimes where punishment is often less than these "white collar" crimes are not planned or premeditated. They are driven by little more than emotional or other motives. There is something more cold, more dark and indeed more arrogant when it comes to crimes such as the act of creating and deploying an internet worm. There is no question that what they are doing is immoral and illegal. They perform the act believing they will not be caught, that they will profit from the act and seemingly that it is somehow their right to take advantages of weaknesses in security simply because they are 'superior' in some way.

    I see a noticable decline in the amount of spam in my inboxes of late. People claimed that the current federal legislation regarding spam wasn't enough and yet I see stories of people being prosecuted under these law successfully and when these people are put out of business, most all see a difference -- an improvement. It's working.

    We don't need more legislation, but we do need to up the level of aggression in persuing these people and up the amount of punishment they are given when they are caught. While they are thinking about their planned attacks, they need to have cause to consider the potential cost to their lives as well.

  10. The warm may not be as "innocent" by trifish · · Score: 4, Informative

    Some people tend to think that this worm is harmless (just "spreading itself"). But the worm actually sends the harvested email adresses to an external site - www.av3.net [which I wouldn't dare to browse to].

    Here are the technical details of the worm:

    1) Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:

    From: Varies
    Subject: New Graphic Site
    Message body: Note: forwarded message attached.

    2) Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.

    3) Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.

    4) Targets email addresses from the @yahoo.com and @yahoogroups.com domains.

    5) Contacts the following URL:

    [http://]www.av3.net/index.htm

    6) Sends a list of email addresses gathered to the above URL.

  11. Your "JavaScript"? by Elixon · · Score: 3, Insightful

    "flaw in JavaScript" - you really mean "flaw in JavaScript" or flaw in the implementation of the so-called "JavaScript"? I mean - all browsers with "JavaScript" are affected? Including mobile devices, linuxes, unixes...?

    --
    Well, I've got to get back to work. When I stop rowing, the slave ship just goes in circles.
  12. Here's the flaw that's exploited by fizbin · · Score: 3, Informative

    It's fixed on yahoo's servers now, but according to the source link posted earlier, the flaw that's being exploited seems to be a bug in how yahoo parses html attributes. The bug sends itself as:

    <img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ ma_mail_1.gif'
    target=""onload="whole bunch of crappy javascript here that uses only
    single quotes and just goes on and on">

    Note the lack of a space between the 'target' bit and the 'onload' bit. Now, apparently "target" is one of the HTML attributes that yahoo allows through on an IMG tag (why?). Anyway, it appears that yahoo's servers see both the target and the onload bit as one big long target attribute and let it through, whereas most browsers see that as a separate "target" and "onload" attribute and execute the javascript as soon as the image (one of the standard yahoo mail images, so it'll likely already be in the browser cache) is loaded.

    The lesson here? I'm not really sure, beyond "double- and triple-check your parsing routines, since they will be used in security-sensitive code".