March 23, 2004 3:49 PM PST

Filter flaw vexes Hotmail, Yahoo

Related Stories

Passport to nowhere?

March 23, 2004

MSN Messenger, Hotmail on the fritz

March 12, 2004

Yahoo plugs IM security hole

December 5, 2003

Report: Watch out for Web site flaws

January 14, 2003
A flaw in the way Web-based e-mail services Yahoo Mail and Hotmail filter messages left users open to attack via specially crafted online scripts, a security specialist said Tuesday.

The glitch created the possibility of attacks that could have let Web miscreants steal passwords, access the content of e-mail opened by victims or even spread worms through Web e-mail, said Lee Dagon, director of research and development for Israeli computer security firm GreyMagic Software. GreyMagic discovered the flaw March 6 and released an advisory about it Tuesday.

"Hotmail and Yahoo do everything they can to prevent script from running in an e-mail message," Dagon said, readily filtering the Hypertext Markup Language content that arrives in messages. "We found a way to bypass their filters in order to make script run."

Technically, the vulnerability is part of a class of problems known as cross-site scripting flaws. Such flaws use a problem in a site's security to pass potentially harmful commands to another site or a user's computer.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


The Open Web Applications Security Project has labeled such flaws the No. 1 issue e-commerce sites face. The current issue uses a feature of Internet Explorer and thus only affects users of Microsoft's browser.

Microsoft, which had been working on the problem with GreyMagic since March 11, has already fixed the flaw by filtering the potentially malicious script at Hotmail's servers. "Hotmail customers are fully protected from the vulnerability," a Microsoft representative said.

Yahoo said Tuesday afternoon that it expects to have the flaw fixed "shortly."

Yahoo never got the original alert from the security firm, due to an internal glitch, a company representative said Tuesday, after being told of the advisory by CNET News.com.

"Due to an isolated issue, we became aware of this specific report after it was first reported to us and have taken steps to prevent (such oversights) from occurring in the future," a representative said in an e-mail.

The vulnerability takes advantage of the seldom-used HTML+TIME module in Internet Explorer, which allows the browser to add timing and synchronization to Web pages. The flaw itself is not in Internet Explorer, however, or Outlook; it requires a Web service to actually have some interesting content to attack, GreyMagic's Dagon said.

"A script in Outlook would have to rely on a second vulnerability to do any real damage," he said. "However, when a script is running in Web-based services, it has immediate access to the entire mailbox."

Microsoft's Hotmail had issues two weeks ago, due to unknown problems with the software giant's Internet identity service, Passport. In December, Yahoo had to patch a flaw in its instant-messenger client that could have left users open to attack.

The advisory that describes the issue can be found on GreyMagic's Web site.

CNET News.com's Jim Hu contributed to this report.

1 comment

Join the conversation!
Add your comment
This is a IE flaw, not a Yahoo/Hotmail flaw
Why do people say it's the fault of the website when a browser like IE is riddled with security holes? Instead of forcing the world to protect IE from itself, people should realize that IE is critically flawed and stop using it.
Posted by (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.