Yahoo Closes Zero-Day YIM Hole

Earlier today we got an update from Yahoo that the issue we reported in a previous blog post has been fixed. As of the moment, YIM users running version 11.x of the instant messaging client are not vulnerable to the status-change mechanism anymore.

If you are running a vulnerable version of the product (all releases in version 11, including the latest version of the kit), you should know that you don’t have to download and install anything, as the fix has been applied server-side.

Bitdefender discovered the flaw last Friday as part of a forensic investigation on a customer’s machine. We immediately notified the affected vendor and other antivirus companies about the new threat and provided proof of concept code as basis for issuing a fix.