Webmail providers, such as Yahoo! Mail and Hotmail, are possible vectors of infection from mass-mailing email worms. As is the risk with Microsoft Outlook and other common email programs, if you download and execute programs from an email client you run the risk of executing malicious code. If there is a vulnerability in your email client, malicious code can even execute automatically. Webmail programs are similar to other email clients that are installed locally and are equally affected by vulnerabilities. For example, a variety of Outlook issues have been discovered in the past where attachments were automatically executed simply because a user previewed an item of email. Webmail programs are not immune from this type of vulnerability.
UPDATE: For an indepth look into Yamanner, please see Malicious Yahooligans.
While proofs of concepts have been posted demonstrating vulnerabilities in these webmail programs we had not seen one being used for a self-replicating worm, until now. JS.Yamanner@m is a first, and at the time of writing the vulnerability is still unpatched.
Fortunately, webmail programs have an advantage because they are server-side. So, when Yahoo! is able to patch this vulnerability, the worm will be dead. With client-side email programs administrators would need to ensure that all of their users apply available patches to their local email client installations. The good news is that in this case, as soon as Yahoo! patches the vulnerability, it will be patched for all Yahoo! Mail users.