New zero-day Yahoo Messenger exploit allows malware to spread via hijacked statuses

http://nakedsecurity.sophos.com/201...essenger-exploit-hijacks-users-status-update/

An unpatched zero-day flaw in Yahoo Messenger allows remote attackers to fiddle with any user's status message - allowing malware to be spread, Bitdefender security researchers revealed on Friday.

Vulnerable clients are found in version 11.x of Messenger, including the freshly released 11.5.0.152-us version.

The reason the status update vector is so dangerous boils down to trust, the researchers said. Because status updates only go out to a user's small group of friends, those friends are likely to click through, and that's when the nastiness begins.

 

Yep beware Yahoo Messenger users. A friend of mine contacted me the other day and told me to check my messenger friends list, to then look at his status ... the status read that he was a pedophile and other malicious things. And when I asked why he'd wrote that about himself, he had no idea how it had got there. Having been a long time user of Yahoo Messenger myself I figured this must be an exploit or kiddy script - I might add - one of the many - over the years I've been using Yahoo Messenger. So I believed what he was saying. Could have been embarrassing.

Yahoo Messenger has link cloaking which can be displayed to your contacts in the messenger friends list. What appears to be a Youtube link, and the like, could be something dangerous. So be careful folks.