Worm finds hole in Yahoo! Mail

A new worm that targets Yahoo! email users is on the loose, taking advantage of a JavaScript flaw, a security company has warned.

The Yamanner worm targets all versions of Yahoo! web-based mail except the latest beta version, Symantec said in an advisory released on Monday.

At the time of the advisory, there was no patch for the vulnerability. But by later on Monday, Yahoo! said it had come up with a fix for the flaw, which it said had affected very few of its customers.

A Yahoo! representative said: "We have taken steps to resolve the issue and protect our users from further attacks of this worm. The solution has been automatically distributed to all Yahoo! Mail customers, and requires no additional action on the part of the user."

Both Symantec and Yahoo! are encouraging people to update the antivirus definitions on their PCs.

Yamanner arrives in a Yahoo! mailbox bearing the subject header "New Graphic Site." Once the message is opened, the computer becomes infected and the worm spreads itself to people on the Yahoo! email contact list. The harvested email addresses are also sent to a remote online server, which Symantec suspects may use the information for spam campaigns.

Dean Turner, senior manager of Symantec Security Response, said: "The worm is taking a pretty novel approach. It takes advantage of a JavaScript vulnerability, so the user doesn't even have to click on an attachment to get infected."

The worm, which was spotted in the wild early this morning, has hit the remote server more than 100,000 times, forwarding Yahoo! email addresses harvested from unsuspecting users, Turner said.

Although it is spreading quickly, and no patch has been issued, Symantec is rating the threat a "2". The security vendor uses a 1-to-5 rating system, with "5" as its most severe category.

Turner said: "Antivirus definitions have been released for it and Yahoo! is working on a patch so we don't want to cry wolf. Although there is the potential the worm will affect a larger number of people, for now to raise it to another [higher] level would be inappropriate."

He added it is premature to predict whether this worm will morph into other forms and attack other browser-based forms of email, such as Google's Gmail.

Systems affected include Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003 and Windows XP, according to Symantec's advisory.

Dawn Kawamoto writes for CNET News.com