Even if you installed Yahoo! Messenger as recently as August 20th, 2007 you may not have the very latest version.
You can check to see if you have the latest version by clicking the 'Help' menu option at the top right of your Yahoo! Messenger window, and then clicking 'About Yahoo! Messenger' or 'Check for Updates'.
If your Yahoo! Messenger version number is 8.1.0.416 (or higher) then you have the latest and do not need to take any immediate action. If you are running anything lower than 8.1.0.416 then please upgrade to the latest version.
Source: Yahoo! Messenger blogIt seems like a classic heap overflow which can be triggered when the victim accepts a webcam invite. Note that this vulnerability is different from the recently patched one in June which exploited the Yahoo! Webcam ActiveX controls.
We've been able to reach Yahoo! security team and have informed them about this issue.
We recommend the following to users using Yahoo! Messenger Webcam:
- Don't accept webcam invites from untrusted sources until a patch for this is released.
- It's advisable to block outgoing traffic on TCP port 5100 until the vendor patches this vulnerability.
Although there are no known cases of this security hole being misused, I can't help but feel McAfee have made the situation worse by making the details public. Then again you could argue I am at fault for doing the same. If you are a Yahoo! Messenger user be careful accepting webcam invites until the issue is fixed.
View the post at avertlabs
In order to prevent the spread of a malicious advertising effort that included Windows Live Messenger accounts as targets, Microsoft took steps to block instant messages that include the words '.info' and a few additional key words to protect our customers. The targeted accounts were sent either info or another URL, which led to a website asking them to provide their Windows Live user id and password. If the customer provided that information, the user's complete contact list also received a message with the domain site link. This was not a Microsoft sponsored effort, and in order to prevent the spread of it through our service, instant messages that include the words '.info' and a few additional key words have been blocked. This action may block some safe, reputable sites and we apologize for any inconvenience this may cause our customers, however, given the circumstances this action was necessary. In an effort to remedy this moving forward, Microsoft continues to investigate other ways to protect our consumers from this threat.
Microsoft recommends that Windows Live Messenger users do not provide their account information to third-party sites. To learn more about how to recognize a social engineering threat, more information is available at http://www.microsoft.com/athome/security/email/socialengineering.mspx. In addition, Microsoft continues to encourage people to follow the 'Protect Your Computer' guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at www.microsoft.com/protect.
Personally, despite the reasons behind the block still not valid in my opinion, the sloppiness of the feature has been changed so not every message with '.info' within it is blocked. Now '.info' is only blocked in things that Messenger recognises as URLs and turns into clickable, blue links. The user will also be notified that their message never went through, but they will not receive an explanation why.
Any virus creator can just encode the URL or use services such as TinyURL to work around this. The people losing out are me and you, who need to send non-dangerous messages to our friends and work colleagues every day.
I still believe things should be blocked on a case by case basis (if not blocked at all). The feature is still poorly implemented, but after the attention of the past week hopefully something will be done soon.
For me it wasn't that much of an annoyance, I've been receiving a swarm on hits since all this was revealed, maybe I should stop complaining?
Source: mess.be
The list of blocked strings is stored on the Messenger servers so that it can be quickly downloaded to instantly update your Messenger with any new entries without you having to download a whole new version. After playing around a bit with the Messenger protocol (aka MSNP) I managed to retrieve the list from the servers.
Unless there was a problem downloading the list, which there didn't appear to, the Messenger team have started removing the end of lots of strings - presumably to try and stop even more bad site links getting sent. For example .p used to be .pif and .s used to be .scr and on several other strings .ph used to be .php, .e used to be .exe and .c used to be .com.
Because the list currently contains 124 entries I've made an image containing them all. This also means that you cannot easily copy the text to try and visit any of the URLs in the list which would potentially end in your computer being infected with some kind of virus, adware, spyware or worm, or expose you to phishing scams.
View the image of the list of censored strings If you want to find out more about how these entries are used or why the .* in some strings actually slows your computer down then there is a discussion expanding upon these ideas started by TheBlasphemer, the creator of StuffPlug, over at the StuffPlug forums.on Tue 31 Jul 2007 (14:59 GMT) (7847 views)
This is their response to the vast amount of viruses spreading using URLs containing '.info'. However, instead of blocking domains by a case by case basis, Microsoft has blocked millions of useful webpages by suggesting that all .info domains are dangerous! This is a typical example of sloppy, rushed programming.
I find this surprising after an article got some attention about Microsoft already censoring messages containing .pif, download.php or staff.php, but this is really pushing it. I wonder whose decision it was to block all .info domains being sent over Messenger?
This paranoid attitude to scanning messages on both the client and server side is also causing Messenger to act slow and even freeze up! There must be some real poor programmers developing Messenger and I have no idea why Microsoft has done nothing about this.
Source: mess.beOne of my friends sent me a message today and I realised she had gotten one (her little sister clicked a link she shouldn't have).
IM-Names is a virus that will send your contacts messages that look like this:
Get the best screen names on website-removed
Like always, a quick google search provides a quick fix:
1. Close Messenger.
2. Goto 'Start' then 'Run' and type 'msconfig'. A new window should appear.
3. Click on the tab at the top right that says 'Startup'.
4. Untick the box next to 'IM-Names'. (If you cannot find it skip this task)
5. Click 'ok' and when it asks if you want to restart your computer say no.
6. Press 'Ctr' + 'Alt' + 'Del'. Find the process that says 'IM-Names' and click End Task.
The virus has now been deactivated!
To remove it fully follow these instructions:
1. Search your computer for all files called "IM-Names".
2. Delete all files that it finds.
3. Empty your Recycle Bin.
The virus has now been fully removed!
I suggest that you warn your contacts via e-mail that they may have gotten the virus, and that they can remove it with the above instructions.
Here are, however, a few tips you should always follow (and which you should encourage your contacts to follow as well):
- Never, ever download something you don't have proof is safe
- Never go to a link from anyone unless your contact tells you what it is
- If a link is given from a contact and it doesn't seem like they would link you there, they're probably infected
- Last but not least, never get any Messenger Add-ons that aren't talked about anywhere, they are probably not safe
IM-Names removal instructions Get safe instant messenger names Get safe addons and tools for Windows Live Messenger Tell us about known viruses and solutions!Security Park reports:
Over the past 12 months, MSN Messenger has consistently ranked #1 as the most targeted IM platform. Fifty-three percent of all the IM-based threats blocked by ScanSafe in the past year have affected MSN, compared to 41 percent that affected AIM and 29 percent that affected Yahoo!.
Ouch, some harsh facts there. But the question is why Messenger is such a victim. Is it because MSN is ridiculously popular? Is it the fact the Messenger API is vast and easy for programmers to use? Or possibly because security is a major flaw in Messenger?
Anyway I think you should check out the article if you want to read up on more facts and speculate yourself. Viruses are really taking over instant messaging, and with good reason. They target a vulnerable audience, know how to trick people and easily spread.
Read: 'MSN Messenger is the most targeted IM platform'Why? Well because the feature is no way coded correctly. Basically the security feature does what it says on the tin, blocks urls containing .scr, and nothing else. Your contact will not receive your message, and you will not be alerted that your message has been blocked. Something which can be confusing and frustrating.
This is just one example, many other things are blocked within your messages. Good luck sending a message with staff.php, and I'll think twice before typing .pif into a conversation. Typing .pif is really annoying, I just wish Messenger would block the extension in a file transfer, but it's useless blocking sending 'pif' in a message. I know it is to stop urls with .pif in them, but urls can be masked, or redirect to a virus. This security feature is just an annoyance.
Typing .pif into multiple conversations was just ridiculous. It used to kick everyone out, it would totally end the conversation, and some prankster would do it just to annoy people. A fix is now just kicking you out, which is not a fix, just a temporary solution which needs to be tackled.
If any Windows Live Messenger developer reads this, next time a message is blocked for security reasons, make sure the user knows, and why. It will stop a lot of confusion, and may stop you getting your company into trouble. Many people have moaned in blogs about how Messenger blocks out certain words and extensions, and the majority are not for good reasons. Think more user-friendly, it is something very important nowadays.
I get a message, from someone I have not spoke to in months saying:
if you love your MUM then send this to TEN people unless your mum will hav an ACC DENT Tonight OR Tomorrow send bac
How did I reply? Like every geek does, by complaining about the reasoning behind sending one. And the reply I got was on the lines of: I agree, but my mom could die.
Then I just ignored this person, and thought in the strange way I do, I must blog about this (seriously, I only got the message 15 minutes ago. I'm so sad.). It took my mind around three times as long to translate what the message actually meant. Then I get the same message again! And again, and again, and again ...
I seriously hate these things, and most of the people who fall for them and start panicking, sending them to all their contacts in hope of not upsetting any magical force.
There is a difference with chain mail and chain IM's. Some chain mail is actually rather funny, and cleverly done. However chain IM's seem to be made up by someone who can't spell, with the attempt just to annoy everyone on their contact list. And the worse point yet, is that you, yes you have sent these onto someone else before! So when the next person sends you one of these, ignore it, close and conversation and forget it.
Thanks for reading.
The worm sent a message to your contacts with filenames like 'LMAO.pif' to lure in its victims. On execution it would do many things, depending on the variant. From swapping your right and left buttons on your mouse to creating a back-door to steal certain details about you. It was hopping mad, you couldn't escape it. It seemed everyone was infected.
The drama ended when the blocked extensions were introduced in MSN Messenger 7.0, it blocked extensions like .pif as well as others that could pose as a threat. The worm died out. However, it seems to of made a return ...
Acting as a link to a .jpeg file, it does the same job, but has a different way of spreading. Using a link containing something like 'pictures.php?photo656.jpg' it tricks you into thinking it is an image, but you are offered to download a .pif file in your browser. Of course it is not as easy to spread, but many will fall for the trap and damn is that worm annoying. Be careful, watch the links your contacts have sent you, Bropia has returned!
Messenger Stuff