RealTime IT News

New Security Hole in Hotmail

Microsoft's Hotmail service is at risk again from a new security threat.

Bulgarian programmer Georgi Guninski has discovered that the Web-based email service allows embedded javascript code to be automatically executed on the computers of Hotmail users.

According to Guninski, the flaw could enable a malicious person to launch password stealing programs or to secretly access the contents of a Hotmail users' account.

A functional but relatively harmless demonstration of the attack was sent by Guninski to InternetNews Radio. The test message showed how embedded javascript could be used to read messages from the Hotmail user's inbox and display them in a separate window.

The latest Hotmail flaw affects users of Web browsers that support cascading style sheets, such as Internet Explorer version 5 and Netscape Navigator versions 4.x.

While Hotmail ordinarily detects and disables incoming messages containing javascript, according to Guninski it fails to properly handle a new HTML tag named STYLE which allows Web programmers to embed javascript in a Web page.

An MSN Hotmail spokesperson said the service is investigating the report. As a temporary workaround, concerned users can disable javascript in their browsers.

Last month, a separate security hole enabled outsiders to log in to others' Hotmail account without a password.

Gary McGraw, vice president of corporate technology for Reliable Software Technologies, said the new discovery suggests the Hotmail service may have become a new favorite target of hackers.

"As an attacker, it's a much juicier target than trying to attack every individual platform out there,"McGraw said.

"These holes are like raw material, and its good when the holes are discovered by people who are honest. But you can work that raw material into many different sorts of attacks."

In the wake of the earlier Hotmail attack, late last week Microsoft confirmed that it intends to hire an outside firm to audit the security of the service.