Yahoo Messenger patch ready, but it's not mandatory

I'm still working on that follow-up story on how Yahoo completely screwed up the flaw disclosure process (waiting to give Yahoo a chance to comment) and caused exploit code to be publicly released but, in the meantime, Yahoo Messenger users should know that a patch is now available and ready for download.Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo!

I'm still working on that follow-up story on how Yahoo completely screwed up the flaw disclosure process (waiting to give Yahoo a chance to comment) and caused exploit code to be publicly released but, in the meantime, Yahoo Messenger users should know that a patch is now available and ready for download.

Over the next several weeks, users worldwide will be prompted to update to a new version of Yahoo! Messenger upon signing into the service. If you choose not to update and you have not updated via this page or at messenger.yahoo.com, the vulnerability will still exist.

Yahoo will keep prompting the user to apply the patch everytime a login attempted but it's important to note that this patch is not automatically distributed to end users.

Now that exploit code is available and an attack requires very minimal user action, I believe Yahoo should force a mandatory upgrade to ensure this patch is applied by everyone logging into the service. There is a precedent already established for mandatory IM client upgrades during a security threat.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All
See All