Slashdot Mirror
Yahoo and Hotmail Filter Flaw
gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."
Myway is also great as a portal or homepage, it's much more customizeable than any other site I've seen, and again, no banners or popups.
You can also read all AP and Reuters stories with no registration, and there's partner links to NY Times and other reg-req'd sites (great for submitting articles to Slashdot).
However, Hotmail completely filters out that element, so another method of namespace declaration is needed. It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction, which may be used anywhere in the document and does not get filtered.
This sig is empty.
"Solution: GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation. All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date. "
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
Yeah according to this site (linked from yahoo) on browser statistics IE 5 only makes up 11% of the market.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
hmm... should this have been 'news'? most people (well, at least on here) know of sites like Hushmail which offer much better (and still free) security for web-based email. Hotmail and Yahoo are... well, about as secure as windows :)
I just tried it on IE6, and it works there too - should have said "IE5 upwards", I suppose.
(For those who don't know, MS's versioning is so bizarre that IE5 and IE5.5 are different in more than minor version number, while IE6 is pretty much IE5.5.1. No, I don't understand either; but I'm always glad of a reminder of why I use a Mac these days :-)
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Tried submitting this a couple of times since yesterday but the submission system seems to have picked up a few bugs of its own where it says "Thanks for the submission" but nothing shows up in the queue. Here are the details...
Yahoo, Hotmail Users Vulnerable to XSS PC Attack
Both Yahoo Web e-mail and Microsoft Hotmail are vulnerable to an Internet Explorer cross-site scripting (XSS) attack that lets malicious users run local code, according to Israel's GreyMagic security consultants (proof of concept). Possible consequences range from theft of login and password to a remote takeover of the compromised machine. Reports indicate that Microsoft has patched the hole but Yahoo has yet to solve the problem. The vulnerability presumably affects Windows PC-based versions of Internet Explorer only. Some people might want to read this developerWorks article on how to prevent cross-site scripting and protect oneself, mentioned last month on Slashdot. More coverage at InternetNews and The Register.
Respect to MS for fixing the problem only 2 days later.
It's not the first and won't be the last IE exploit! Be prepared! Don't buy into the monoculture - use "second tier" software whenever possible. Mozilla Firefox is a fantastic free web browser with many security features and simple toggles. Eprompter is an excellent, simple, and free POP3\Hotmail\webmail client that lets you delete messages server-side before you open\view them.
Most important of all, keep up-to-date with Slashdot and other news services to stay aware of new vulnerabilities!
The reporter has it wrong.
ALL versions of IE *since* 5 contain this feature, which means that if there's a flaw in the filtering mechanism of the web-based email provider, script will run.
Yep, IE5, IE5.5 and IE6.
Sorry, but I'm not willing to get email with a service that supports the use of adware/scumware.
I have to agree with you here, I too have had been using yahoo mail since rocketmail. Yahoo notepad is another reason I like yahoo mail so much, I don't have to keep emailing myself small bits of information.
Saying Java is nice because it works on all OS's is like saying that anal sex is nice because it works on all genders.
only works in IE5 though...
.
Well, that is what the article says, but the proof of concept page also works in IE 6.0 (6.0.2800.1106)
As it happens, provoked by receiving he Netsky virus embedded in an html email in Outlook that attempted to launch via an iframe, I happened to download Spybot Search and Destroy.
Using Spybot Search & Destroy, I found out about another Grey Magic discovered vulnerability, Executing arbitrary commands without Active Scripting or ActiveX. I also discovered that I'd apparently had an Alexa phone-home browser extension installed as a "Browser Helper Object" in IE, god knows for how long.
I've been using Mozilla FireWhatever for quite sometime, eschewing Internet Explorer except for those sites that don't work with IE or for testing my own sites in IE. But clearly, even a careful user with an up-to-date copy of IE and a firewall, isn't safe, principally because rather than concentrate on security and getting what they already have working securely, Microsoft prefers to pile on ever-accumulating layers of non-essential crap like HTML-TIME
I've no idea why someone thought that HTML-TIME, ostensibly for adding "timing and media synchronization support" to HTMl, required the ability to arbitrarily re-write pages. But clearly it's nothing that's desirable in an email.
My course is clear at this point: after repeated attempts, Microsoft still can't get it right, still cannot write a browser that's anywhere near secure. Crap like "HTML + TIME" is NOT worth the risks it brings with it -- especially when the risks are borne by the end-user in order to make life easier for (generally commercial) web site developers. Boycott IE, and boycott sites that only work in IE -- even if -- especially if, they use Microsoft extensions like "HTML + TIME".
Opinions on the Twiddler2 hand-held keyboard?
The problem is not that the script is getting executed in your browser but that it is a script from an email getting sent and executed by your browser. Most mail clients by default have scripting disabled because a malicious email can do some nasty things like steal your address book or confirm your email account is active to a spammer. It's the Webmail server's job to prevent scripts from being executed, not the browsers.
FYI - POP3 access is only available for Yahoo! if you pay for. I forget what the actual yearly costs are, probably around $30. However, Yahoo!POPs is freeware that you can access your Yahoo! mail on. It sets up a localhost for the SMTP and POP3 server, and it remotely accesses yahoo! and translates the HTML email pages. Very incredible free program!
The IE/Mac codebase is totally different from the IE/Windows codebase. But, like any sensible Mac user, I use Safari these days.
For those who want to know, I've just tested on IE/Mac v.5.2.2, and it's not vulnerable.
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
This isn't a security flaw of any meaning. This is a way to slip past the content filter on Yahoo! and Hotmail. Big fricking deal. Any script you manage to slip by the filters using this script could be found on any web page. There is no system vulnerability involved here. All "injected" scripts are subject to the same sandboxes and vulnerabilities that code you put up on your web page is. Nothing more, nothing less. Yahoo! doesn't need to jump on this because the damn thing is just an inconvenience, not a security threat.
Why is it so hard to understand that when script can run in a web-based email it can do whatever the USER can do and more?
That means your entire mailbox can be read and sent to a remote server.
That means emails can be sent from the mailbox.
That means your address book can be accessed.
Running script in general might be an inconvenience, but in this context, it's a big-ass security vulnerability.
If you know of any other such filtering flaws that aren't patched, feel free to point them out. But I assure you that everything you'll find by Googling had already been patched.
Well, number 224853 shouldn't scare you. It is entirely about Mozilla politics, and doesn't involve software at all.
Number 204506 says, "Actual Results: I can enter maxlength + 1 characters into a input field." That doesn't sound very scary. There is no mention of running code in the extra byte.
Bug 182176 says, "This is not much of a security hole since chrome can read any file anyways and non-trusted content can't use chrome URLs. It's worth fixing in case some future exploit allows untrusted content to use chrome urls, but I'm removing the security flag because there's no exploit here.
Bug 129996 is about an annoyance, at most.
Good old Mozilla. Yes, the parent post is a troll. No security problems are shown in the link.
Well, erm, there was actually logic to that you see...
.1 revved all the way up to 4.8; so much for "interim".
When NN4 came out, Netscape was busy at work on the Netscape 5 codebase (what eventually became Mozilla). After about a kazillion slipped deadlines, and the battering of the free and pre-installed IE4 that they competed against on Windows, Netscape open-sourced the moribund and convoluted Netscape 5 codebase as the Mozilla Project. To show they still had some hope for the future, Netscape 4.5 was introduced as an interim release--one which
Meanwhile, after languishing for approximately two years, Mozilla finally gained some traction and started pacing up towards an actual 1.0 release, after several buggy milestones and many pre-releases. Although this was really "Netscape 5", the Netscape company decided there were too many bad associations with that version. Hence, Mozilla 0.92 or so became Netscape 6. Eventually, when Mozilla hit the 1.0 release, Netscape obliged with a 7.0 release, due to the premature release of those buggy pre-1.0 version as 6. and the desire to ensure people understood it was massively improved.
So as much as it looks like bizarre marketing, there was a logic and consistency to that versioning.
But since its IE5 or greater, you sum (IE5 = 11%) + (IE6=72%) = 93% of the browser population effected.
This is a bug in Hotmail and Yahoo's filtering of HTML and scripting code. Normally these sites strip any script code, but this is a new way of injecting arbitary script code into the HTML page Hotmail or Yahoo gives you showing the email you wanted to view.
An attacker could craft an HTML email that, when viewed in your inbox on Yahoo or Hotmail will execute some JavaScript or other script code from within the context of the Hotmail.com or Yahoo.com window. So it could do nasty things like deleting your messages automatically, forwaring your emails to another address, etc.
It does NOT allow your computer to execute native code unless the attack exploits some other browser-specific vulnerability.
Webmail will always be succeptible to these kinds of attacks if it does not carefully filter out HTML using any number of obscure features to insert malicious script in the Hotmail.com output.
No, that was PassPort. http://news.com.com/2100-1038-5175554.html
Alexa also makes a separate downloadable toolbar that shows related links automatically on each page transition, and so tracks (almost) every site you visit, but this is different than the BHO bundled with IE.
--Pat / ex-Alexan
MS's versioning is so bizarre that IE5 and IE5.5 are different in more than minor version number, while IE6 is pretty much IE5.5.1
I wouldn't agree with your assesment that IE6 was a minor update to IE5.5. IE5.0 to 5.5 was probably a bigger change (and should have been called 6.0), but there were some big changes, including print preview, privacy enhancements, .NET WinForm hosting, that damn image toolbar, and most importantly, big improvements in CSS.
I think you misunderstand how standards work. They provide a framework of things that MUST or SHOULD be implemented. They don't say "...and you MUST NOT implement anything else".
The flaw relies on a proprietary extension of Internet Explorer.
This extension has nothing to do with HTML specifications as documented by the W3C.
Yahoo! did nothing bad. The Yahoo! filtering system works. Yahoo is not supposed to deal with every browser specific non-standard extension.
If I release a patch for Mozilla that implements a tag that format your hard disk, should we immediately blame every webmail on the planet because there's a vulnerability here?
No. And the fact that IE is widely used shouldn't mean that it should be a special case and that every program out there should care about its silly specific extensions.
{{.sig}}