Yahoo! Mail Exploit

Date:06.12.2006

Threat Type: Malicious Code Alert

Websense® Security Labs™ has received several reports of a new worm spreading to Yahoo! web mail accounts. Yahoo! mail incorrectly filters the "onload" attribute out of <img> tags in HTML emails. The "onload" script is executed upon receipt of the malicious email. The script utilizes the Yahoo! QuickBuilder tool to mine all the email addresses from the victim's inbox. The worm then mails a copy of itself to each of these addresses and sends the list of addresses to a third-party site where the addresses can be used by the attacker for other purposes. Finally, the worm redirects the victim's browser to a third-party site that displays numerous advertisements and could potentially deliver additional malicious code.

Currently, messages sent by the worm use "av3@yahoo.com" as the From address and "New Graphic Site" as the Subject.

Note: These values could easily be changed by the attacker.

The exploit succeeds even if users' preferences are set to block images in HTML emails.

The site used to harvest email addresses has been placed in the Malicious Websites category. However, other attackers could quickly adopt this exploit to deliver a more serious attack. Websense, Inc. recommends that customers filter Yahoo! mail or use the Web-based Email category until this exploit is resolved by Yahoo!.