Loading ...
Sorry, an error occurred while loading the content.

24524Re: [Y-Mail] Yahoo Mail Hack Sending Emails With Single Link To Rogue Websites

Expand Messages
  • Shal Farley
    Mar 6, 2013
    • 0 Attachment
      Lena,

      > The weaknesses are not in yahoo, but in Windows, browsers and their plugins
      > (Java, Acrobat, Flash), ...
      > If you use Windows then you are vulnerable, yahoo cannot fix your Windows.

      Or perhaps one of those plug-ins.

      I've evicted Java from my computers -- too many zero-day exploits in a row, and I don't know why I had it. That is, nothing I use daily has stopped working; no doubt I'll get a reminder eventually.
      <http://krebsonsecurity.com/2013/03/oracle-issues-emergency-java-update/>

      Acrobat, as a browser plug-in, has been eliminated for me by Firefox 19, but I still use it stand-alone with files I've created. Flash is a little more problematic as many sites I do use daily use Flash.

      > Another proof: I use Unix instead of Windows on my (usual) computer at
      > home, so I could safely experiment. I don't Sign Out of yahoo. An XSS
      > exploit should work with any browser under any operating system, however
      > I clicked links in several such spams but addresses in my webmail
      > address book and Sent folder weren't spammed.

      If the plug-ins are involved there may be more variables than just the OS. The victims may have had an outdated plug-in whereas you no doubt keep yours up-to-date, or possible don't use them.

      After all, we don't know what percentage of the people who received and clicked on such links were subsequently exploited. All we know is that it was apparently enough to propagate the problem to others. I'd actually expect that people prone to click on rogue links are also people prone to ignore updates, but that's just a stereotype in my mind.

      -- Shal
    • Show all 17 messages in this topic