Yahoo Quashes Mail Bug

Earlier Monday, security companies including Symantec and McAfee warned users that the "Yamanner" worm was using an unpatched JavaScript vulnerability in Yahoo Mail to compromise computers whose users simply viewed a malicious HTML-based message.

According to the SANS Institute's Internet Storm Watch, there were actually two variants circulating.

"The release of a new version barely two hours after we started our analysis which partially fixes the first version indicates that the code is very much under development and you should assume that the remaining bugs will be rapidly ironed out," wrote ISW analyst Arrigo Triulzi in an online alert.

There was not an immediate workaround other than to steer clear of Yahoo Mail, since disabling JavaScript rendered the e-mail service unusable. The beta of Yahoo Mail was unaffected, but users were not able to switch unless they'd previously registered for the preview and received the go-ahead from Yahoo.

However, by Monday afternoon Yahoo said that it had plugged the hole, but was vague about the steps it had taken.

"Yahoo detected a worm on Monday morning which impacted a very small fraction of Yahoo Mail users," spokesperson Kelley Podboy said in an e-mail to TechWeb. "We have taken steps to resolve the issue and protect our users from further attacks of this worm. The solution has been automatically distributed to all Yahoo Mail customers, and requires no additional action on the part of the user."

Yahoo Mail is the leading free Web-based mail service, with a reported 200 million accounts.