Video Screencast Help
Security Response

New Yahoo! Mail Worm

Created: 11 Jun 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:17 GMT
Symantec Security Response's picture
0 0 Votes
Login to vote

Webmail providers, such as Yahoo! Mail and Hotmail, are possible vectors of infection from mass-mailing email worms. As is the risk with Microsoft Outlook and other common email programs, if you download and execute programs from an email client you run the risk of executing malicious code. If there is a vulnerability in your email client, malicious code can even execute automatically. Webmail programs are similar to other email clients that are installed locally and are equally affected by vulnerabilities. For example, a variety of Outlook issues have been discovered in the past where attachments were automatically executed simply because a user previewed an item of email. Webmail programs are not immune from this type of vulnerability.

A new Yahoo! Mail worm, JS.Yamanner@m , is making the rounds by utilizing a vulnerability affecting webmail. Yahoo! Mail automatically renders attached HTML files so that you don't need to download and load them in the browser yourself. During the process of rendering Yahoo! Mail makes an effort to parse for any Javascript and neuter the Javascript from executing. Otherwise, the Javascript will be rendered under the context of the yahoo.com domain and an attacker will be able to read your mail, view your contacts, and perform other types of changes within your mail account.

UPDATE: For an indepth look into Yamanner, please see Malicious Yahooligans.

While proofs of concepts have been posted demonstrating vulnerabilities in these webmail programs we had not seen one being used for a self-replicating worm, until now. JS.Yamanner@m is a first, and at the time of writing the vulnerability is still unpatched.

Fortunately, webmail programs have an advantage because they are server-side. So, when Yahoo! is able to patch this vulnerability, the worm will be dead. With client-side email programs administrators would need to ensure that all of their users apply available patches to their local email client installations. The good news is that in this case, as soon as Yahoo! patches the vulnerability, it will be patched for all Yahoo! Mail users.