Hackers are again targeting Yahoo's instant messaging software, security vendors have said, making it critical that users patch the Windows program immediately.
A modified version of an exploit made public last week is being used in the wild, Symantec said in an alert to customers of its DeepSight threat network. "At least one website is known to be hosting the exploit," said Symantec's warning. "Customers are advised to blacklist the n.88tw.net domain."
Last Wednesday, just a day after eEye Digital Security said it had found a flaw in Yahoo Messenger, a hacker posted details of vulnerabilities in two ActiveX controls distributed with the IM client, along with proof-of-concept exploit code. Later that same day, Yahoo patched Messenger and urged users to download and install the new version as soon as possible.
The SANS Institute's Internet Storm Center's (ISC) analysis noted that the in-the-wild exploit differed only slightly from the code posted last week on the Full-disclosure security mailing list. The exploit lets an attacker hijack the PC, then inject more malware into the computer.
"This dropper downloaded further components, of which one was called 5in1.exe," said ISC analyst Bojan Zdrnja yesterday. "We haven't analysed this yet but judging just by the file name, it doesn't sound good."
Over the weekend, Yahoo also added a "Security Update" warning on the Messenger home page to inform users of the new, patched software.