Home / Culture and Society / Science and Technology / Yahoo! Wins July Bug of the Month

Yahoo! Wins July Bug of the Month

Please Share...Print this pageTweet about this on TwitterShare on Facebook0Share on Google+0Pin on Pinterest0Share on Tumblr0Share on StumbleUpon0Share on Reddit0Email this to someone

Every month the BugBlog picks its Bug of the Month, representing the most significant bug found in the past month. Sometimes, the bug will be the one which could potentially cause the most damage; sometimes it will be the bug which affects the most users. And sometimes, it will be the bug that is just the most interesting. This bug will be selected either from the free Bug of the Day, or from the subscription-only BugBlog Plus.

This month, the Bug of the Month goes to Yahoo! for the bug in the 6/15 BugBlog:

A bug that affects Yahoo! Mail has been patched. According to security researchers, all you needed to do was view the infected email in the Yahoo! mail window, and some JavaScript would run. You did not need to open an attachment. The email itself would have the subject line of "[random word] New Graphic site", and this particular attack has been named Yamanner by the AV companies. See an early report and some post-patch analysis. In any event, it's probably safe to look at your Yahoo! Mail again. (Good thing I opened that Gmail account.)

Why this bug? This bug earns Bug of the Month status because of how easy it was triggered. You didn't need to open an attachment – all you had to do was preview the message in the Yahoo! Mail window, and some embedded JavaScript would run, harvest email addresses, and send out more messages. That made this bug especially dangerous. The flaw was in the way that this Ajax JavaScript application designed by Yahoo! didn't do validation checks.

The good thing was that users didn't have to implement a fix. Since this was a hosted application, Yahoo! implemented the fix themselves.

Powered by

About Bruce Kratofil