(LiveHacking.Com) – A zero-day exploit has been found in Yahoo! Messenger 11 (including the recently released 18.104.22.168-us) that allows a remote attacker to alter status messages without user interaction or permission.
The vulnerability is in how Messenger processes files send to a user. Using a specially crafted $InlineAction parameter, and iFrame can be loaded which swaps the status message for that of the attackers. Furthermore this false status message can contain a link (which could then be used to spread malware).
As messenger users are expecting messages from their chosen group of contacts (friends) then these rogue messages have a high click through rate. Once the link is clicked malware can be installed via known Java, Flash, PDF or IE exploits.
There is also a potential for cyber criminals to try and make money using this new exploit.
Someone can easily set up an affiliate account, generate custom links for products in campaign, then massively target vulnerable YIM victims to change their status with the affiliate link. Then, they just wait for the contact-generated traffic to kick in. There are actually a couple of services that pay YIM users to change their status with custom links as part of their business.
The quickest work around for this vulnerability is to ensure that you have Yahoo! Messenger set to “ignore anyone who is not in your Yahoo! Contacts”, which is off by default.