June 12, 2006 1:32 PM PDT

Worm wriggles through Yahoo mail flaw

A new worm that targets Yahoo e-mail users is on the loose, taking advantage of an JavaScript flaw, a security company has warned.

The Yamanner worm targets all versions of Yahoo Web-based mail except the latest beta version, Symantec said in an advisory released Monday.

At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo said it had come up with a fix for the flaw, which it said had affected very few of its customers.

"We have taken steps to resolve the issue and protect our users from further attacks of this worm. The solution has been automatically distributed to all Yahoo Mail customers, and requires no additional action on the part of the user," a Yahoo representative said.

Both Yahoo and Symantec are encouraging people to update the antivirus definitions on their PCs.

Yamanner arrives in a Yahoo mailbox bearing the subject header "New Graphic Site." Once the message is opened, the computer becomes infected and the worm spreads itself to people on the Yahoo e-mail contact list. The harvested e-mail addresses are also sent to a remote online server, which Symantec suspects may use the information for spam campaigns.

"The worm is taking a pretty novel approach," said Dean Turner, senior manager of Symantec Security Response. "It takes advantage of a JavaScript vulnerability, so the user doesn't even have to click on an attachment to get infected."

Yamanner exploits the Yahoo flaw by enabling the scripts that are embedded in HTML e-mails to be run by the user's Web browser.

The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo e-mail addresses harvested from unsuspecting users, Turner said.

Although the worm is spreading quickly, and no patch has been issued, Symantec is rating the threat a "2." The security vendor uses a 1-to-5 rating system, with "5" as its most severe category.

"Antivirus definitions have been released for it, and Yahoo is working on a patch, so we don't want to cry wolf," Turner said. "Although there is the potential the worm will affect a larger number of people, for now to raise it to another (higher) level would be inappropriate."

He added it is premature to predict whether this worm will morph into other forms and attack other browser-based forms of e-mail, such as Google's Gmail.

Systems affected include Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP, according to Symantec's advisory.

See more CNET content tagged:
worm, Yahoo! Inc., flaw, Symantec Corp., Yahoo! Mail

28 comments

Join the conversation!
Add your comment
Yahoo Groups
This is playing hell with Yahoo groups. We're having to moderate member's posts because of it. We've had several people from the same list affected.
Posted by TheReaperD (189 comments )
Reply Link Flag
Yahoo will have a fix SOON!
Yahoo! will have a patch by the end of the week, at the latest! Probably sooner...
Posted by gary85739 (613 comments )
Reply Link Flag
Too late
By then, thousands of people will be infected. Yahoo is
to blame for unnecessarily changing their Webmail system
to require Javascript.
Posted by Jackson Cracker (272 comments )
Link Flag
Help - Assistance required.with yahoo account
Is there a way, I could talk to customer service rep.of Yahoo who can help me with my account sudhi_bs and my friend's account madan7. I am willing to pay as well..

Thanks
Sudhi
Posted by sudhendra (3 comments )
Link Flag
where can I get patch?
How or where can I get this patch? Im desperate as I cannot log into my Ymail after opening 'New graphic site' email with worm!

thanks and if anyone can advise any way of getting rid of this worm
Posted by juppin (4 comments )
Link Flag
where can I get patch?
How or where can I get this patch? Im desperate as I cannot log into my Ymail after opening 'New graphic site' email with worm!

thanks and if anyone can advise any way of getting rid of this worm
Posted by juppin (4 comments )
Link Flag
Mac OS not affected
"Systems affected include Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, Windows Server 2003 and Windows
XP, according to Symantec's advisory."

Gee, what a surprise... yet another problem that does not affect
Macs! This makes one wonder why JavaScript seems to be getting
all the blame in this article. Could it be that the Microsoft operating
systems are at least partially to blame?!?
Posted by jim_mac (8 comments )
Reply Link Flag
Linux neither!
Boy am I glad I switched to Linux!
Posted by DJHeadley (1 comment )
Link Flag
Mac OS is still kind of affected...
I am on a Mac G5, and while I haven't experienced any problems
with it, it appears that Macs can be "carriers" for this thing. I
actually opened it, and everyone in my address book was sent
the email. The worm may not actually harm us Macers, but it still
opens with us...
Posted by ripete performer (1 comment )
Link Flag
Worm wriggles through unpatched Yahoo and I have lost my password to Yahoo
The worm has affected me (yahoo profile: sudhi_bs and my friend (yahoo profile madan7).
We are not able to login. Worst part is we have forgotten the security question to reset our password and also our alternative email address are invalid as yahoo id were pretty much our identity for past 8-9 years. WE both have tons of confidential information in yahoo account. Is there a way we can talk to yahoo security or customer support team. We are genuine folks and not any spammers. We need our identity back. We need our nemesis back. Can any onehelp? I can be reached at 408 203 9960 or Sudhi.Seshachala@gmail.com
Thanks
Posted by sudhendra (3 comments )
Reply Link Flag
Don't keep confidential info in a webmail account
Geez, use a little bit of common sense.
Confidential information doesn't belong in a webmail account.
Posted by JoeF2 (1306 comments )
Link Flag
New sign-in scheme
Yahoo Mail required that I fill out one of those bot evasion forms, but, other than that, I had no problem signing into regular Yahoo Mail. I haven't tried Yahoo 360.
Posted by J.G. (837 comments )
Link Flag
I don't think so
If you can't log in, then it's because of some other problem....this worm is a pain, but it doesn't wipe out passwords.
Posted by twinx1970 (1 comment )
Link Flag
contact yahoo help
I had this problem once. My friend knew my date of birth and answer to my secret question and he reset my password. Though I got my account back using the same info my friend used, I contacted yahoo support to change my secret question (you can't do it yourself). So try contacting them and they would help you
Posted by ggupta7 (137 comments )
Link Flag
contact yahoo help
I had this problem once. My friend knew my date of birth and answer to my secret question and he reset my password. Though I got my account back using the same info my friend used, I contacted yahoo support to change my secret question (you can't do it yourself). So try contacting them and they would help you
Posted by ggupta7 (137 comments )
Link Flag
I have the same problem..
I have been in contact with yahoo customer service but I like you signed up a long time ago (when I was sceptic of giving out my real details) and now can not verify my registration, but I can log into every other part of yahoo so I was hoping I could maybe varify its my account through Ymessenger?? anyone know what I can do...as I need my email account back desperately!!!

thanks
Posted by juppin (4 comments )
Link Flag
LOST MY PASSWORD TO YAHOO
I've been using YAHOO since 2000, never have an experience of losing my "PASSWORD", also have (3) three user's I.D. and (3) different PASSWORD with YAHOO, but never lost a single one. But you, how can lose your "PASSWORD" and answer to your secret question? Get an organizer where you can keep your secret PASSWORD AND USER'S I.D. and last but not the least, EAT MORE PEANUTS TO INCREASE YOUR MEMORY;-)
Posted by tenchi_nage2002 (2 comments )
Link Flag
Oh please Yahoo!
They say "FEW" have been affected? The entire Yahoo Groups has been affected. Put it this way I don't know anyone associated with Yahoo Groups who has not been affected.

I cannot even get into Yahoo Groups anymore, they even have Yahoo Customer Care down.

As for the letter they emailed everyone? When and where?!?!
Posted by Lpahl (1 comment )
Reply Link Flag
Headline should read 'Windows worm'
Also, the grammar is a giveaway. The message should read g-r-a-p-h-i-c-s. Spammers and malware makers often make mistakes in spelling and grammar.
Posted by J.G. (837 comments )
Reply Link Flag
Headline is fine, it's not limited to Windows machines
It's a flaw in the Yahoo mail system that allows javascript from the source email to be executed by the receiver of the email and has no windows specific code.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
You sure this isn't a IE BROWSER FLAW.....
....and not a Yahoo JavaScript Screwup? Being a web developer I've see this a mile away? Javascript functionality is dumbed down because of IE's way of blocking certain script actions.

Take the MN Department of Public Safety. The code they use on there DMV site puts every DMV computer at risk of being exploited by this code. EVERY DVM PC.

There web code (MN DMV) requires the web code to use certain DNR printer templates that reside on the user's computer, not on a web server. So when someone from the MN DMV has to print out a DNR tag or any other orange tag for that matter the web code REQUIRES the need to access the printer templates on the local computer.

How does this put every MN DMV computer that uses this technology at risk? Well, say for instance a state employee decides to do there own surfing on lunch break ( I've personally seen this, so don't say it doesn't happen) and they come across a rogue website that uses JavaScript to access the local computer. You can figure out what can happen at this point. The security issues that this presents is just aw inspiring.

This would also allow TOTAL CONTROL of the host computer as well as the ability to download rogue code in the background unknown to the user until something terrible happens.

The solution for MN DMV:
Keep the template files on the web server for local web server access. You say there are so many people accessing the templates that it would decimate the performance of the servers! I tell you get a better IT staff, faster pipeline, and better servers. That will solve all of your problems. The MN DMV that is.

So you think that the MN DMV and Yahoo only have this problem you better check out your own web code. JavaScript is Super Powerful and part of the new Web 2.0 and AJAX era that's going on right now. So start practicing practical and safe coding!

Justin
Tech01.net
Posted by OneWithTech (196 comments )
Reply Link Flag
No, it's not an IE browser problem
It's a Yahoo mail system problem that allows Javascript from the sender of the email to act as the receiver of that email. Despite notes (and an incorrect "affected systesm" list) to the contrary, Mac and Linux users who use Yahoo mail are also subject to this worm.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
Macs NOT safe!
Contrary to what Jimmy Mac posted earlier, this worm does go through on a Mac system. I'm running OS X at home and opened one of the infected emails in my Yahoo account. 24 hours later, I'd gotten hits from all of my Yahoo groups, all with my email address on them as the sender.
Posted by BenPanced (1 comment )
Reply Link Flag
re: Macs NOT safe!
The list of affected systems for this is incorrect, it's any browser with Javascript enabled which is also capable of working with the Yahoo mail system which is affected but in this Windows centric world the clowns that built that list thought only about Windows.
Posted by aabcdefghij987654321 (1721 comments )
Link Flag
I GOT HIT WITH YOUR WORM. HELP!
I GOT YOUR WORM/VIRUS TWO DAYS AGO, I COULD NOT SEND ANY EMAILS. INCOMING WAS NOT A PROBLEM. I DELETED THE BETA VERSION OF INTERNET EXPLORER ANDI AM OK NOW.
Posted by Howard Moss (1 comment )
Reply Link Flag
yahoo worm
hi all,

here's the problem I've been having:
yahoo won't let me sign in, I can use messenger but it just won't recognize my ID and password when I sign in to check mail for instance, it keeps taking me back to the sign in page,

furthermore it seems my cookies have been disabled as my bank page and amazon who have cookies asked me to re-sign.

it could be the worm, thought I don't remember clicking on it but with the amount of crap I get everyday, I may have clicked it by mistake.

if yahoo has indeed emailed a fix, how can I open the email if I can't sign in? also I tried singing in from another computer and I got the same response, it would keep reloading the sign in page

any help? thanks
Posted by gmoggo (1 comment )
Reply Link Flag
One man blog site does better
job of reporting this issue than CNet.

READ it HERE: <a class="jive-link-external" href="http://p2pnet.net/story/9059" target="_newWindow">http://p2pnet.net/story/9059</a>
Posted by btl-jooz (81 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.