New Hotmail hole discovered

From "Robert Kemp" <sensuant@hotmail.com>
Date Wed, 15 Sep 1999 14:31:36 EDT


[: hacktivism :]

from http://www.zdnet.com

New Hotmail hole discovered

Javascript can be used to jimmy open Hotmail accounts, bugfinder says. 'This 
is not a security issue,' Microsoft says.

By Steven J. Vaughan-Nichols, Sm@rt Reseller September 13, 1999 3:50 PM PT

Just what the world didn't need: Another way to crack open Microsoft's 
beleaguered free, Web-based e-mail system, Hotmail. But, that's exactly what 
noted Bulgarian bugfinder Georgi Guninski claims to have found.

Guninski, who has made a name for himself by finding security violations in 
browsers, has found that Hotmail enables Web-paged embedded Javascript code 
to run automatically

This makes it possible for someone to write Web programs that could do 
anything from steal passwords to read others' mail. While it's long been 
known that active Web applets, whether written in ActiveX or Java, have the 
potential to pry open systems from the inside, this is the first case in 
which someone has shown that Hotmail is vulnerable to such attacks.

Not just a theoretical hole:
Is this a purely theoretical hole or one that can only be used by crackers 
to attack users? The answer, unfortunately, is the latter: Correctly written 
JavaScript programs can, at the least, raid users' inboxes.

Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem. 
"This is not a Hotmail security issue. We see it as an example of people 
encouraging users to run malicious code on the Web," a Microsoft 
spokesperson said.


"To protect yourself now, you can disable JavaScript, just disable it before 
using Hotmail, or do not open mail from unknown people when you think it 
might contain JavaScript," the spokesperson added. "Microsoft is 
investigating ways for Hotmail users to have greater security against 
threats posed by malicious use of JavaScript in e-mail."

The latest Hotmail hole opens up because Hotmail doesn't handle the new HTML 
tag "STYLE." Java programmers and Webweavers use STYLE to insert JavaScript 
into HTML pages. The solution is to force Hotmail to handle STYLE in the 
same way it does ordinary JavaScript -- disabling it on arrival.

Timing couldn't be worse:
The fix may be simple, but the timing for Microsoft could not be worse. The 
latest Hotmail security breach follows by weeks a major Hotmail security 
meltdown. It took Microsoft hours to fix the problem, but millions of user 
accounts were left unprotected in the interim. Since that initial breach, 
the company has brought in TrustE and another auditing firm to help it head 
off future Hotmail security breaches.




||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
In accordance with Title 17 U.S.C. section 107, this
material is distributed without charge or profit to those
who have expressed a prior interest in receiving this type
of information for non-profit research and educational
purposes only.
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

http://www.angelfire.com/mi/smilinks/thirdeye.html

||||||||||||||||||||||||||||||||||||||||||||||||||||||||||

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com

[: hacktivism :]
[: for unsubscribe instructions or list info consult the list FAQ :]
[: http://hacktivism.tao.ca/ :]