Category: Yahoo

MailDue to some changes on ‘governmental policies’ regarding the issuance of automated electronic messaging, the management of Microsoft decided to push through on sending security notices to its clients. It is despite the company’s initial plan to terminate security notifications beginning July. Microsoft allows it clients to subscribe to one or more of the RSS feeds on the Security TechCenter website.  Speculations, although not confirmed by the Microsoft management, roam around that the decision was based on the latest Canadian antispam law stating penalties of $1 million for individuals and $10 million for businesses’ violation. Clients are looking forward for the best result of the decision.

Source: CSO

Yahoo plans to ignore “Do Not Track” privacy requests sent by Microsoft’s Internet Explorer (IE10) browser, calling its ally’s unilateral decision “signal abuse” and pointing to a possible rift between the search partners.

One Do Not Track (DNT) expert, however, didn’t think Yahoo’s decision, announced last week, would affect its deal with Microsoft.

In reality, some argue, IE10 does not actually switch DNT on: In August, Microsoft backed away a step, and promised that during Windows 8 setup, customers will be notified of the impending setting and given a chance to turn it off.

Source: InfoWorld

Yahoo accidentally leaked the private key that was used to digitally sign its new Axis extension for Google Chrome.

The company released Axis, which is a plug-in for HTML5 enabled web browsers such as Internet Explorer, Firefox, Chrome and Safari as well as the Iphone and Ipad that is intended to speed up internet searches.

However, while looking at the source code for the Google Chrome Axis extension, hacker and security blogger Nik Cubrilovic discovered a serious security flaw — the package included the private cryptographic key used by Yahoo to sign the extension.

“With access to the private certificate file [private key] a malicious attacker is able to create a forged extension that Chrome will authenticate as being from Yahoo,” Nik Cubrilovic said.

Since private keys allow developers to digitally sign new extensions or update their old ones, they should always be kept secret.

An attacker can push a Yahoo-signed malicious extension to a browser that has the Axis extension installed, by using techniques like DNS spoofing, Cubrilovic said.

Yahoo confirmed the security issue. “We worked quickly to resolve the issue and have issued a new Chrome plug-in,” a Yahoo spokeswoman said via email. “Users who downloaded Yahoo! Axis on Chrome between the hours of 6-9 p.m. Pacific Time on May 23, 2012, are encouraged to uninstall the previous version and reinstall the new version at axis.yahoo.com.”

Source: Computerworld