An unpatched vulnerability that lets attackers alter user’s status messages and possibly perform other unauthorized actions that could be exploited by directing users to malicious spam links, according to Computerworld. The flaw, is found in the application’s file transfer API, and allows attackers to write a script in less than 50 lines of code to send malformed requests resulting in the execution of commands without any involvement from victims.
Bogdan Botezatu, a researcher at security firm BitDefender, says, in a blog post“If you can receive messages from contacts outside of your [Yahoo Instant Messenger] list, you are 100% vulnerable.” The potential for this exploit affects Yahoo Messenger version 11x, including the newly released 11.5.0.152-us.
Note, that according to the Yahoo! Messenger blog, they ended support for previous Yahoo! Web Messenger as of November 1, 2011 and urged users to download the new desktop client 11.x or use IM through Yahoo! Mail.
