Yahoo released a series of Messenger 5 versions with a gaping security hole that allows remote access to messenger users computers, this remote access is silent, the user is never informed and no provision is available for the local user to confirm or deny access.
There are several types of vulnerabilities involved, including:
cosmetic changes... o- style sheets to change the background color o- put a graphic image as wallpaper, 'adult' content possible o- change the background color at any time, black is not nice o- clear the users screen loss of privacy... o- Cause the remote users computer to automatically access a web site without the users knowledge or consent, active content can be instantiated. file system access... o- create a directory on the users file system o- create a file on the users file system o- write data to a file on the users file system o- delete a file from the users file system o- append commands to autoexec.bat o- rename the autoexec.bat o- create infinite unkillable popups o- consume all memory and CPU
In addition to these issues it is possible to construct a scenario where a single user can instantiate a Distributed Denial Of Service (DDOS) attack with an amplification factor of 200:1 in a matter of minutes after an initial one time setup which is trivial in nature.
What has yahoo done about this?
Despite knowing about the vulnerabilities Yahoo did not act on them until a number of complaints were raised in yahoo chat help and a list of the exploits was delivered to yahoo via an unpublished internal yahoo email address, attempts to notify yahoo via regular channels, such as the privacy advocate and the customer advocate did not even result in a reply or acknowledgement of the problem.
After weeks of knowing about the problem and doing nothing they finally acted and withdrew the current vulnerable version of messenger from the distribution site and replaced it with a previous earlier version that was considered 'safe'. Then they released yahoo messenger 5.0.0.1050 which corrected the problem.
That was a long overdue reaction to the situation but it leaves an uncomfortable result...
Potentially millions of users using the vulnerable version of Yahoo messenger were unaware that they were at risk and received no notification that it would be prudent to update to a safe version.
Yahoo was advised that the only safe recourse was to withdraw service to the affected version and notify the customers that it would be in their best interest to update to the newer version but Yahoo decided to take another approach. Instead of having the vulnerable version removed and updated they opted to leave the vulnerable version on the clients computer and instead apply a server side patch to prevent the exploits from reaching the affected clients.
The affected clients still have exploitable versions installed with the full capability of executing active content and being vulnerable to exploit.
This marginally effective solution would have been temporarily satisfactory IF the server side patch had been effective, but the patch did Not protect all the users, in fact it is STILL possible to activate the exploits 100% of the time on any of the vulnerable messenger version because the patch is not sufficient.
Yahoo still shuns the prospect of advising its users of a known security problem, has never advised them to update because of it, and in fact has made no indication that similar events would be addressed any differently in the future or that any number of other yahoo services may also have vulnerabilities that are never disclosed to its clientele.
The current status is that potentially millions of yahoo chat users are running a vulnerable version of messenger that has known problems and yahoo is not even advising its users that the potential for abuse exists, or that an update is available and should be applied.
Yahoo also does not have a prominently available officer for reporting security issues, or acting on them in a timely and responsible manner.
It appears that no one in yahoo is capable of understanding the need to advise users of this potential,
Currently it is not possible to safely interact in chat help using the yahoo supplied programs for chat. This forces us to use third party clients which are demonstrably unaffected by the vulnerabilities exposed by the messenger and java programs that yahoo provides.
In fact Many users prefer the use of third party client access programs because of the lamentable history of problems with the yahoo supplied programs that have left their users reformatting ther equipment, reinstalling, lowering security settings just for the sole purpose of being able to chat, allow their computers to be 'booted', subject to continual streams of pornographic advertisements, racial attacks, hate mongering, child molesters, cyber stalkers and other forms of visual and personal abuse while yahoo presents no active recourse for affected people to complain or even deal effectively with the situation. Other issues included the continual exposure of users to password attacks, private message forgery and identity theft.