Tech Support Guy banner
  • IMPORTANT: Only authorized members may reply to threads in this forum due to the complexity of the malware removal process. Authorized members include Malware Specialists and Trainees, Administrators, Moderators, and Trusted Advisors. Regular members are not permitted to reply, and any such posts will be deleted without notice or further explanation. Notice
Status
Not open for further replies.
1 - 1 of 1 Posts

·
Registered
Joined
·
1,047 Posts
Discussion Starter · #1 ·
Microsoft patches critical Hotmail hole
By Sam Varghese
March 24, 2004

Microsoft has responded promptly to the discovery of a critical vulnerability in its Hotmail service and issued a patch in less than two days, according to an advisory posted by GreyMagic Software, an Israel-based security company.

However, GreyMagic said in its posting to the Bugtraq list that it had found a similar flaw in Yahoo!'s webmail service but found it impossible to contact the company.

GreyMagic said it had started work on the issue with Microsoft on March 11. "They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation," the advisory said.

"All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date."

The vulnerability is a cross site scripting or XSS flaw. To exploit such a flaw, a web application is sent with a script that activates when it is read by an unsuspecting user’s browser or by an application that has not protected itself against cross-site scripting.

GreyMagic found that it was possible to exploit the flaw when people accessed their Hotmail or Yahoo! mail accounts using Internet Explorer.

The company said a malicious attacker could exploit the flaw and it could result in theft of login and password; disclosure of the content of any email in the user's mailbox; automatic dispatch of emails from the mailbox; exploitation of known vulnerabilities in the browser to access the user's file system and eventually take over the machine; distribution of a web-based email worm or disclosure of all contacts within the address book.

Here
 
1 - 1 of 1 Posts
Status
Not open for further replies.
Top