Vulnerabilities in Yahoo! messenger client. Active 0-day attack 3-dec 2012

There are multiple vulnerabilities in Yahoo Messenger's clients, breaking and ramping up in scale and permeation today.  A Romanian security researcher last night published evidence of this attack, and a few sites (including me) and (Bitdefender, etc) have picked up it. "Allegedly[1]:" If you use Yahoo messenger -- there's a zero-day (unfixed and in the wild right now) exploit in which all versions including the latest (11.5.0.152-us) are vulnerable. Easy stop gap: Change your Yahoo messenger preferences to block anyone not on your contacts list. Or, use a non-Yahoo IM client. There are many out there; my recommendations are Trillian, Adium X[osx] and perhaps Pidgin [win/mac/unix].  Or, rock it shell/xterm style with naim. :) This is a hard one to get around otherwise, because of its focus on users' buddy lists for name gathering (I'm going to go out on a limb here and suggest that there's a possibility that contact names are being collected, creating a healthy "confirmed usernames" database, for future use in directed attacks) There are two exploit mechanisms being reported.  One via status-msg updates and another via user file trading.  Both overlap using the same tactic: 1. The status-msg exploit uses a mechanism that, via the status update control, is able to update another user's status without their knowing or permission. 

• The exploit changes your away/status/"tagline" to an attention-grabbing one, with an embedded in an HTML IFRAME  (inline frame, which can be made invisible) that loads malicious code.  
• The victim/targe surreptitiously load the iframe automatically (the client itself does), that has content directing the user to a multi-exploit page.  It's pretty crafty - The pages are said to include :
• (A) a PDF bug (a recent favorite), 
• (B) an exploit to a locally installed (inline) flash vulnerability, 
• (C) a Java exploit, 
• (D) an Intenet Explorer based attack (for those runnung IE as default), 
• So, prettymuch anyone has the potential to be owned

Since status messages generally have a really high "click thru rate" (percent of clicks vs. those that pass), this piggybacks on the oldest hack in the book: Social engineering 2. The second mechanism uses the same tactics, but embeds the iframe in the text of a message within what users/buddies would see when receiving a file-send request.  

• With that handy exploit, even if you refuse the file being offered, the code's been sent to you already via the iframe -- game's up.

(Update) 3. A third (unconfirmed) augment uses the "phone tree" method to cascade new iframe data to already-infected users to get around landing pages being taken down. 

• Bitdefender further suggests that the exploit can be used for affiliate clickfraud dollars (you'd be "clicking on links" and ads that you never see, but the person nonetheless gets paid for, because he's paid to direct traffic towards a site, and he's paid based on the number of clicks).

• Regardless, Yahoo's decision to allow open html (iframes? really?) throughout their product is clearly a bad one.  It shouldn't be too hard for Yahoo engineers to write an inline html stripper, but then again, a deploy of that scale would have the service down for hours.

We'll see what happens.. [1] C&D /that/, lawyer bitches. [2] http://rstcenter.com/forum/44158-rst-schimbarea-statusului-y-messenger-explicatii-teoretice-si-tehnice.rst