Researchers from BitDefender are warning Yahoo Messenger users of an unpatched vulnerability that lets attackers alter user's status messages and possibly perform other unauthorized actions that could be exploited by directing users to malicious spam links, according to Computerworld. The flaw, which is found in the application's file transfer API, allows attackers to write a script in less than 50 lines of code to send malformed requests resulting in the execution of commands without any involvement from victims.
In a blog post, Bogdan Botezatu, a researcher at security firm BitDefender, says, "If you can receive messages from contacts outside of your [Yahoo Instant Messenger] list, you are 100% vulnerable." The potential for this exploit affects Yahoo Messenger version 11x, including the newly released 220.127.116.11-us. (Also note, that according to the Yahoo! Messenger blog, they ended support for previous Yahoo! Web Messenger as of November 1, 2011 and urged users to download the new desktop client 11.x or use IM through Yahoo! Mail.)
BitDefender says Yahoo is aware of the vulnerability, but has yet to respond. The company has offered Yahoo proof-of-concept code to help close the exploit, reports computing.co.uk.