Microsoft’s Hotmail service is at risk again from a new security
threat.
Bulgarian programmer Georgi Guninski has discovered that the
Web-based email service allows embedded javascript code to be automatically
executed on the computers of Hotmail users.
According to Guninski, the flaw could enable a malicious person to launch
password stealing programs or to secretly access the contents of a Hotmail
users’ account.
A functional but relatively harmless demonstration of the
attack was sent by Guninski to InternetNews Radio. The test message showed
how embedded javascript could be used to read messages from the Hotmail
user’s inbox and display them in a separate window.
The latest Hotmail flaw affects users of Web browsers that support
cascading style sheets, such as Internet Explorer version 5 and Netscape
Navigator versions 4.x.
While Hotmail ordinarily detects and disables
incoming messages containing javascript, according to Guninski it fails to
properly handle a new HTML tag named STYLE which allows Web programmers to
embed javascript in a Web page.
An MSN Hotmail spokesperson said the service is investigating the
report. As a temporary workaround, concerned users can disable javascript
in their browsers.
Last month, a separate security hole enabled outsiders to log in to others’
Hotmail account without a password.
Gary McGraw, vice president of
corporate technology for Reliable Software Technologies, said the new
discovery suggests the Hotmail service may have become a new favorite
target of hackers.
“As an attacker, it’s a much juicier target than trying to attack every
individual platform out there,”McGraw said.
“These holes are like raw material, and its
good when the holes are discovered by people who are honest. But you can
work that raw material into many different sorts of attacks.”
In the wake of the earlier Hotmail attack, late last week Microsoft
confirmed that it intends to hire an outside firm to audit the security of
the service.