To Those Using Yahoo! Messenger 11...

[Clusterphuck]

Anyone using Yahoo! Messenger 11 should update to Yahoo! Messenger 11.5 as soon as possible as it seems Yahoo is blocking people from logging in with Yahoo! Messenger 11 (and YMSGv18) potentially due to the iFrame exploit that has been making its rounds. The iFrame vulnerability is critical as it could be used to compromise a person's PC by executing malware like a trojan or virus without the user's knowledge or it can be used to cause a blue screen of death crash on any Windows PC. Yahoo is fully aware of the vulnerability and are working on fixing it - it seems they've pushed a fix for Yahoo! Messenger 11.5 (YMSGv19) hence the suggestion to update. Here's some information by Yahoo from the Yahoo! Messenger blog:

It's come to our attention from the Yahoo! Messenger Community that hackers are intentionally exploiting a newly-discovered security vulnerability affecting Messenger for Windows. At Yahoo!, we take security very seriously and we greatly appreciate those who flagged this to us. We are actively working to completely resolve this issue.  In the interim, we have pushed a fix that will protect users against this vulnerability. Messenger users need to log out of Messenger and then back-in for the fix to take effect.

YTK Enhanced is more or less compatible with Yahoo! Messenger 11.5 except do not use the Auto-Reconnect or Auto-Gawd Mode features as they won't work! It's also not really recommended to use any other versions below 11.5 because of this issue!

Thanks!

[Adam X]

YTK's Auto-Reconnect feature works fine with all the YMSG protocol versions _except_ YMSG version 18 due to the change Yahoo! just made a few days ago. YMSGv18 is still usable but the cookie login for it has been specifically affected (as was the regular SSL-based login with improper client id / version strings). This iframe injection vulnerability has existed for many months (since YM 11 beta first debuted) and is definitely a severe issue since it can allow a person to execute code on your computer, steal your account (cookies and potentially the password), among many other possibilities. This exploit only affects Yahoo! Messenger 11 and I haven't personally checked it against YM 11.5 yet but I imagine there are other packet types that can be used to do the damage as well. YTK's out-of-the-box configuration (default settings) block the invitations sent to you from non-friends containing the exploit script code (an HTML form with an iframe embedded typically).

Yahoo!'s choice to tamper with YMSGv18 specifically was pretty stupid considering that this can be completely blocked server-side without targeting an entire protocol version (which YM 11.0 builds use version 18 by default). What's scary is that they just now became aware of this vulnerability when it's existed and been exploited for months on end.

For now, if you plan to use Auto-Reconnect in YTK, do not use YMSG version 18 until I fix it up in the next build. All the other protocol versions will work correctly when using this feature. If you want to have most of the functionality while using Auto-Reconnect then choose YMSG version 17 which will only limit your Facebook chat feature and multiple session instances for the same account while allowing everything else. Typically our users use Auto-Reconnect for YMSG version 102's boot resistance but I am aware that some just use it to lessen any disruption from boots leading to disconnections.