December 15, 2006 2:54 PM PST

Yahoo's IM update: A Trojan horse of surprises

Yahoo said late Friday that it has fixed a bug in its newest version of Yahoo Messenger that changed a user's mail preferences without his or her consent.

But the company has stopped prompting customers to update the software until it can sufficiently test that the fix works, said Yahoo spokeswoman Terrell Karlsten.

"We're testing the fix until we can get it behaving the way we want it to behave," she said.

Yahoo Messenger 8.1, when it was released Friday, automatically installed a Yahoo Mail icon in a user's system tray and changed the user's default mail settings to Yahoo Mail, said Karlsten.

Yahoo had alerted 73 million users worldwide (or all those using its IM service before November 2) to download the latest software version, which includes free or low-cost PC-to-PC calls among its chat features.

The company said the update increases stability and reliability, and improves security. The previous software contains a security flaw that could cause other applications like Microsoft's IE to crash, or prompt users to be involuntarily logged out, Karlsten said. The new version, she said, fixes that issue and bundles in new features like interoperability with Windows Live Messenger.

"The reason why we do a package, bundle everything together, is so people can get the latest version with the security updates and the great new features," Karlsten said.

Click here to Play

Video: Watch this before installing Yahoo Messenger 8.1
How to update the feature while avoiding unwanted changes to your Internet browser.

By default, the software also inserts the Yahoo Toolbar into the user's Web browser and changes the user's personalized home page and search settings to In the original download alert, people could choose to customize the installation under "options" and then uncheck these default settings. What users couldn't change, however, was that the software was adding a Yahoo Mail icon to the system tray and changed their default mail settings to Yahoo Mail.

Yahoo's Karlsten had said the engineering team was not aware of the Yahoo Mail issue and was actively working on a fix. But she said that the problem affected only a subset of existing users. She added that the company realizes everyone might not want all of the features it offers and that's why users can customize their installation. "We have really made sure we've given people choice," she said.

"The basic principle is do not change users' preferences from under them, or not through deceptive dialog boxes because a lot of people click through, like 'yeah, yeah, yeah,' without reading them."
--Jacob Nielsen, user design expert

Finally, for some people running Microsoft's Internet Explorer 6.0, Yahoo's changes will crash the browser application.

Karlsen said that Messenger should be compatible with IE 7 and earlier versions, but the company is investigating.

The company also added language to its terms of service related to a new auto-updater practice. In the default setting, Yahoo will automatically download software to the client's PC whenever it has an update, and then alert the user when to install the software.

Jacob Nielsen, an expert on user design and principal of Nielsen Norman Group, said that Yahoo is not alone in its default changes, but the strategy runs contrary to what he calls software ethics.

"The basic principle is do not change users' preferences from under them, or not through deceptive dialog boxes because a lot of people click through, like 'yeah, yeah, yeah,' without reading them," said Nielsen, author of Prioritizing Web Usability."

"You don't want to make any changes unless they ask for it," he added.

Through research he's found that the average person on the Internet is clueless as to how to fix the changes that software bundles--like Yahoo's--typically make to their PC. Only people who are tech-savvy or work in the industry understand the concept of maintaining preferences that they can change, he said.

What's more problematic, he said, is that problems or collective clutter resulting from software bundles can serve to confuse the general public and cause consumers to be afraid of downloading anything.

"To the average user, they think, 'My computer used to work and now it doesn't and I don't know why.'

"All these small violations pollute the interface and degrade the ability of all the service providers to make updates, especially when they step over the line," Nielsen said.

At least one longtime user of Yahoo Messenger won't download the new version because she expects problems.

"I don't plan to download the latest YIM because the last one took over so many things without telling me beforehand that it took days to get it all untangled," said Erica Schroeder, a tech executive in the San Francisco Bay Area. "I was so mad I almost dumped the application off my system entirely. Yahoo should know better."

See more CNET content tagged:
Yahoo! Inc., Yahoo! Mail, Yahoo IM, ethics, preference


Join the conversation!
Add your comment
I updated this morning and it gave me....
I updated from 8.0 to 8.1 this morning and I was given the option to do a custom install. The custom install gives you the ability to prevent the default installation and the associated changes it makes. So, unless Yahoo! changed the procedure from the way it was implemented this morning, this report is incorrect.

As far as I know, those changes only occur when the user chooses the default installation and that's how it's been with Yahoo! Messenger for some time now.
Posted by anarchyreigns (299 comments )
Reply Link Flag
Did you have the toolbar installed?
I did not, and did the custom install. I discovered Yahoo toolbar installed when I did not permit it to be installed.

The report is accurate. I removed all Yahoo products from all of my PC's after this mess.

Yahoo! If I want it, I'll download and install it. It's sad that you are beginning to behave like AOL.
Posted by law_hog (43 comments )
Link Flag
Also Updated
As a long term posessor of Yahell Messenger I was wise enough to select the custom install yet afterwards was still greated by the mail icon on the desktop. I didn't have the hassle of Yahell taking over my home page settings but I didn't notice and wonder why Mozilla's Thunderbird was asking me if I wanted to have it set as the default mail client upon opening it for the first time after. Now I know.
All in all the report is accurate to an extent and while it serves as a warning to those who haven't updated it's a case of closing the barn door after the horse has bolted. Furthermore it doesn't really do anything to help those persons who don't realise they can 'custom' install as the likely hood is that they wouldn't be on c|net reading tech news anyway.
Posted by j3st3r (70 comments )
Link Flag
Expect better....
You know...things like negative option billing is illegal in Ontario and so should negative option bundling.

Yahoo...if your products are good put them in as an OPTION TO INSTALL not an OPTION TO UNINSTALL. You look very unprofessional doing it this way.
Posted by KsprayDad (375 comments )
Reply Link Flag
I got no trojan horse
There is no virus. I got the install message today and did the upgrade. My anti virus didn't find any trojan horse. I unchecked all boxes to just get the IM like always. My email default got changed but article says they are fixing it.
Posted by freddyflinty (2 comments )
Reply Link Flag
Did you read this article?
There is no mention of a virus. Try looking up what a trojan horse
actually is....
Posted by k103 (3 comments )
Link Flag
Obviosly no clue what Helen of Troy did. Pity
Posted by gggg sssss (2285 comments )
Link Flag
Obviosly no clue what Helen of Troy did. Pity
Posted by gggg sssss (2285 comments )
Link Flag
No way this was a "mistake"
The last few versions of IM have been installing more than they should. All I've ever wanted was the Messenger - nothing else. But there is no way to prevent extra crap from getting installed, and even a partial uninstall won't remove all those extras. I had to get hints from a hacker site to disable the add-push engine, and a firewall to cut down on the Phone Home nonsense.
Really, can any of this be an accident?
Posted by Marcus Westrup (630 comments )
Reply Link Flag
What should I do?
I downloaded the update BEFORE I knew of this. SO I'm wondering what I should do to see if anything on my laptop or my Y! mail acct have been changed/affected?
Posted by Voltron_Fan (3 comments )
Reply Link Flag
First thing Monday morning - a new broup policy - no more Yahoo IM, Mail, Toolbar in my network. But Yahoo is not alone - Quicktime tries to install iTunes and take over all media, Google is not quite as bad but who needs Google desktop?
Posted by gggg sssss (2285 comments )
Reply Link Flag
oops Group Policy
bad spellcheck
Posted by gggg sssss (2285 comments )
Link Flag
oops Group Policy
bad spellcheck
Posted by gggg sssss (2285 comments )
Link Flag
A "bug", but NO
Whatever Yahoo. A bug is unintentional, you meant for this version
to hijack a persons email client just like you have their search
engine and hompage for years. You are so out of touch with reality
it isn't even funny.
Posted by PCCRomeo (432 comments )
Reply Link Flag
Simple Solution: Switch to Google Talk.
Posted by anarchyreigns (299 comments )
Reply Link Flag
Not As Simple As That...
...there are two issues ppl fail to action by downloading GTalk & kidding themselves that they've installed an "inherently more secure browser". GTalk isn't inherently any more secure than YIM. True, it doesn't force as much non-IM-related "drive-by" software on your system as YIM, and that's to GOOG's credit.

Installing a powerful two-way encryption software or hardware program on your system and the systems of those with whom you correspond is the best way to optimise the security of your IM comm's. And generally these products aren't available at Best Buy.

For those of you considering the switch to YIM, before doing so, educate yourself by sending a simple email to Yahoo Support that asks:

"We need to install a great IM like your's. But we never use Microsoft's Internet Explorer browser. We only use the Firefox and Opera browsers - do these work as well as IE with your IM?"

To Yahoo's credit, starting with this summer's announcement of their official strategic partnership with Microsoft, they now answer this support inquiry honestly. They actually have the courtesy to give you a straightforward answer: "No."
Posted by i_made_this (302 comments )
Link Flag
Terry Smell Fails Us All
Fat Man with fat wallet writes fat code. Fat Man cannot write a decent spam filter, resulting in Yahooers being bombarded with spam from Korea, China, Russia, and Brazil. Fat Man's HTML image blocking option no longer works. Does Fat Man even know how to use a computer?

Here Fat Man, see the garbage spam I have to put up with in one single day because you are too busy combarding Yahoo customers with ads in your Messenger and hijacking their browsers to write a decent spam filter. Know how many spam emails I get in Googlemail Fat Man? Zero! Maybe you could learn something from them.

Fat Man's Spam-O Email Filter chaise
Mariano Kane Merdeia is pro cellulite kliller
Zelma Greene hi_ ospbfrngichiicmmartl
Henry T. Basil item
Jumanah Bridge Re: hauteu info
Adaline Gordon Anything else u need
Tammie Mccollum Dlon't Let your arlm loan go
Jo Erwin Ere.c.tille meds lowlest cost
Mariana Myers Low-Profile Company With High
Marian Dickey Your lApproval Code
Fannie Hines Order Shipped
under load foAll
Meaghan Rupp Re: halfpennywort
Rick Watkins Want to be a hero in a bed? 6
Barlaam Haltom Re: declinomete
Washington Sorry about last wk
Anthony Babcock Want to be a hero in a bed? 4
Denis V. Park compelling desire
Felicienne Pizarro Re: bombin info
Will this seems to be a huge resource covering lots of different areas. berserk
Stephan Schafer Increase your ***** Size 1
Katheryn astounding opportunity with
Lorraine Field Merdeia isl pro clellulite
Posted by CancerMan2 (74 comments )
Reply Link Flag
still doing it.
Stupid yahoo! Everyone cover your eyes, because I'm about to blow. Maybe they'll see it from wherever they are.

Posted by mattumanu (599 comments )
Reply Link Flag
"Update?" Could have fooled me!
For Mac users, this was a complete non-event. We STILL have NO VOICE CHAT, which is one of the BIGGEST gripes many users have had about this system!

Yahoo has been promising it to us for YEARS and still hasn't delivered.

And, on the PC side, when I read the article, I had to laugh. What high school programming class project actully did this alleged "update" for them?

Even a Programming 101 student knows that it is basic coding to set defaults and load a program! Evidently, no one told the development team at Yahoo this when they went through their mail order programming classes.

And Yahoo development "didn't know that the product was not compatible with" Internet Explorer 6?

Who do they THINK are they kidding?

Basic product testing protocols REQUIRE that a product like this be tested on the most common browsers. And IE, last time I looked, was THE most common browser. So one would obviously check for the TWO most recent releases - 6 & 7.

But not Yahoo, evidently.

So, I have to ask, again - WHICH high school programming class gets the 'F' for THIS boondoggle?

Or, perhaps I should ask "Which MANAGER at Yahoo should get the 'F' for not REVIEWING their WORK PROPERLY?"

Because that's the real question.

This critter was let out of the stable before the vet gave it all of its shots.
Posted by mstrhypno (49 comments )
Reply Link Flag
Internet Explorer 7
D/l IE7 when first came out. Continous scrolling. Emailed Microsoft, no answer. Restored system.
D/L again past week. Scrolling still there, could not sign on to my Yahoo. Again emailed Microsoft. again no answer.
Day 2, could not even sign on to wireless connection. Restore again. I think I will go shopping for some fresh fruit.
Posted by patleiby (3 comments )
Reply Link Flag
Windows Live Search???
Windows Live Search does the continuous scrolling... it's a feature not a bug! Try changing your default search engine to Google or something and see you still get the scrolling thing.

Better yet, try switching to FireFox :] Much cheaper than buying a mac.
Posted by SeizeCTRL (1333 comments )
Link Flag
Hey...Moron! Ya you installing software!!!
1. While I *do* hate how some software defaults to changing settings and doing things "automatically" for you without asking, like automatically starting with windows without asking you if it should... Yahoo IM! like *most* installers DOES have a CUSTOM INSTALL OPTION!

2. If you are installing software on your computer and you STILL haven't realized that the default / typical install isn't usually a good idea, then you are an idiot and need to wake up!!! You should ALWAYS look for a "custom install" option. Yahoo IM! is no different. It has always had a custom option that lets you turn off all their default crap like changing your home page for instance. Sure they shouldn't try to change those settings ANYWAY, but you could have been alert enough to click CUSTOM instead of just clicking NEXT.

Don't bash Yahoo! for trying to get a little bit out of giving you a free IM program. It's not like they bundle spyware like some craptastic folks do. How do you think they make money on giving away free software? Advertising! How do they do advertising?? Through their website! and through their IM!

So next time you install something.... PAY ATTENTION!!!! Look for a "Custom" option. Never accept some unknown default installation. Think about what you are doing, and think about what the software might be doing when you look at the list of options during installation. Sometimes the defaults are great. Sometimes they suck!
Posted by quarky42 (17 comments )
Reply Link Flag
You must not support users.
Sure, most software has a custom install box, but most users have probably looked at it and got confused by the options. So they tend to choose the "default" install thinking the software publisher knows best what choices are needed to make the new software work properly.

You are a computer enthusiast. You are not the regular computer user. Regular users want the simplest choice when using their machines, and generally expect that computers can give them what they want with the push of a button.

Secondly, Yahoo changed the default nature of their install. Anyone who habitually installed Yahoo IM upgrades were accustomed to the same install choices each time. This time, Yahoo snuck in a Yahoo Toolbar, e-mail client and changed the default web page to their own website. This is simply wrong and it does represent the typical actions of a trojan software install. Yahoo should know better, and they need to better protect their image with users, because users have high expectations from Yahoo.
Posted by (942 comments )
Link Flag
Yahoo should be prosecuted for this one
Yahoo crossed the line in this one. I always uncheck all the extra garbage this thing just took over, like a piece of adware, and started downloading stuff on its own. Took over homepage, added Yahoo toolbar, took over mail defaults. Yahoo is desperate after slipping behind MySpace: they haven't had a new idea in years and will do anything to retain their market share.

Yahoo was once cool but isn't anymore: they've been just rolling along on vapor. I already boycott the Yahoo "search" (read: ad) engine: will dump YIM within the next few days.
Posted by michaelo1966 (159 comments )
Reply Link Flag
Um ok...
Go ahead... prosecute away, because we all know how damn hard it is to change back your default home page. Even harder to set your mail client back to default. It's not like when Thunderbird or Outlook/Express open up they ask if you want them to be default. If clicking [YES] is too much for you to do, then yes, by all means start calling up lawyers.
Posted by SeizeCTRL (1333 comments )
Link Flag
For the love of god...

It's annoying! If I just want Yahoo Messenger, that's all I want. If I want QuickTime, don't make me download iTunes along with it. Make it easier to get just one piece of software without having to get the entire bundled package. Offer the bundle for those who want it, but also make it available as a standalone package.
Posted by SeizeCTRL (1333 comments )
Reply Link Flag
Avoiding Bundling makes no $en$e to these companies...
However, I agree with you 1,000%!!!

If I want a certain software, I'll make that decision and get it. I don't need some [i]company[/i] pushing stuff on me I do [b]NOT[/b] want or necessarily need!!!

And, YES, Yahoo! has gone way too far with this one!!! They need to be reined in and taught some lessons!
Posted by btljooz (401 comments )
Link Flag
Yahoo needs to worry MORE about
it's OWN system!

A bot infected Y!s "Answers" section last week and epitomized on Saturday (as far as I know, that's the last time I was in there).

Here's the link to a list of "Questions" discussing it:

<a class="jive-link-external" href=";_ylt=Anae8GJwXU9w5LcLVTwKdnUjzKIX?p=%22man%22-bot" target="_newWindow">;_ylt=Anae8GJwXU9w5LcLVTwKdnUjzKIX?p=%22man%22-bot</a>

I [b][u]HOPE[/u][/b] that link allows you to see the [b][u]PROOF[/u][/b] of the holes Y!s OWN servers have in them!

Yahoo! needs to look in the mirror FIRST and leave it's users' computers ALONE!!!!
Posted by btljooz (401 comments )
Reply Link Flag
The author doesn't know what a Trojan Horse is
This is *not* a trojan horse. It's merely an installer like all other installers from the big internet companies, tries to install additional components onto your computer by default. There's a pretty obvious way to prevent this from happening.

I wish CNet would report on real news and not blow these non-stories out of proportion when they're too lazy to do real journalism.
Posted by JoeCrow (83 comments )
Reply Link Flag
Nothing new from Yahoo
Yahoo has had other applications installing it's search engine and IE bar for years. It's one of the pushiest applications company I've ever seen.

Why would this surprise anyone?

I don't often leave it on any machine I use as the search engine tends to mess up the URL and want to search for web pages that are simply down at the time. This wastes time. Sure I can change that in options but why bother for something that doesn't add function for me at any rate? BTW MSN search has the same problem. Same engine? One wonders.
Er Google rules &lt;G&gt;
Posted by Marv99 (3 comments )
Reply Link Flag
Linda Davenport Twitter AveyMadden Trying to learn all i can to twitter better web-store facebook blogs i want to do well to develop myself to help others
Posted by Megamoneymagnet (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.