Dec 05

Security Issue In Yoono 6.1.0 and earlier

, Updates Add comments

Recently there has been a review of Firefox add-ons from a security perspective done by Nick Freeman that was presented at a security conference and covered here.  One of the add-ons cited in the review was Yoono and it unfortunately was highlighted as a security risk.  At Yoono we want to be totally transparent with our users so we wanted to address the issue as it has been picked up by several security blogs online.  Here are a few details:

  • On June 29, 2009 we were contacted by Nick Freeman from Security Assessment about a security vulnerability that he discovered in the version of Yoono that was available at the time, Yoono 6.1.0.
  • Nick did the right thing as as security analyst by informing the developer (us) first before publishing the details of the exploit publicly.  For those who don’t know, this is industry best practice as it gives the developer the chance fix it before any harm is done.
  • Without going into too much detail, the issue he discovered involved visiting a malicious website that presented an image with some code attached.  If a Yoono user shared this image with another user it could cause malicious code to execute on the user’s computer.  A serious issue, but relatively unlikely scenario in practice.
  • As soon as we were notified of the issue we started working on it and fixed it the same day.  We submitted our fix to Mozilla and the fixed version (6.1.1) was available to end users on July 6th as an automatic update.
  • We notified Nick that this issue had been fixed in Yoono 6.1.1.

We take all security issues very seriously and strive to address them as quickly as possible.  Unfortunately Nick’s review has only recently been published online and there are several issues with it from our perspective (due to the publishers of the information, not Nick’s initial assessment):

  • Several blogs have incorrectly cited the version numbers affected – suggesting 6.1.1 or 6.x or “possibly other versions” may be affected.  To be clear, this issue does not affect any version after 6.1.0 and has been fixed since July 2009.
  • Unfortunately readers of these articles are left with the mistaken impression that Yoono currently has this vulnerability because no note is made of when it was fixed or in which version it was fixed.

We are actively contacting blogs that have reposted incorrect information and asking them to change their information where it is incorrect.  But foremost we wanted to set the story straight here with you, our users.  As always, let us know if you have any questions.

The Yoono Team

For reference, here are some of the places this issue was originally published:

http://secunia.com/advisories/37468/

http://www.securityfocus.com/bid/37123/info

http://xforce.iss.net/xforce/xfdb/54417


Related posts:

  1. Yoono 6.1.1 Now Available We’ve released a very minor update to Yoono that fixes...

Related posts brought to you by Yet Another Related Posts Plugin.

blog comments powered by Disqus
preload preload preload