Trend Micro reports that a new proof-of-concept (PoC) code that exploits a feature (vulnerability?) in Yahoo! Messenger exists. The code exploits a feature in a certain DLL file to download a file. Malware authors can leverage on the said DLL file to download malware. According to the report, the exploit works on the latest version of the popular messaging client.
From the report:
Based on testing done in Windows XP SP2 with the latest version of Yahoo! Messenger (8.1.0.421) using the said DLL component, programs or Web sites using the CLSID related to the said DLL can download files from the Internet. Users can be lead to malicious/non-malicious sites that will first prompt for an ActiveX warning. When users allow the said ActiveX component to execute, FT60.DLL downloads files specified by the program or Web site.
It will be hard to lead a user to a Web site and then fool the user to allow an unknown ActiveX component to run. But it can be done. Users are advised to be careful when clicking on links sent via IM or installing applications from untrusted sources.
Whether a malware will leverage on this remains to be seen.