Slashdot Mirror
Yahoo and Hotmail Filter Flaw
gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."
Myway is also great as a portal or homepage, it's much more customizeable than any other site I've seen, and again, no banners or popups.
You can also read all AP and Reuters stories with no registration, and there's partner links to NY Times and other reg-req'd sites (great for submitting articles to Slashdot).
However, Hotmail completely filters out that element, so another method of namespace declaration is needed. It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction, which may be used anywhere in the document and does not get filtered.
This sig is empty.
"Solution: GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation. All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date. "
Imagine how much harder physics would be if electrons had feelings! -Feynman, maybe
Yeah according to this site (linked from yahoo) on browser statistics IE 5 only makes up 11% of the market.
"I can not bring myself to believe that if knowledge presents danger, the solution is ignorance" - Isaac Asimov
I just tried it on IE6, and it works there too - should have said "IE5 upwards", I suppose.
(For those who don't know, MS's versioning is so bizarre that IE5 and IE5.5 are different in more than minor version number, while IE6 is pretty much IE5.5.1. No, I don't understand either; but I'm always glad of a reminder of why I use a Mac these days :-)
Using HTML in email is like putting sound effects on your phone calls. Just say <strong>no</strong>.
Tried submitting this a couple of times since yesterday but the submission system seems to have picked up a few bugs of its own where it says "Thanks for the submission" but nothing shows up in the queue. Here are the details...
Yahoo, Hotmail Users Vulnerable to XSS PC Attack
Both Yahoo Web e-mail and Microsoft Hotmail are vulnerable to an Internet Explorer cross-site scripting (XSS) attack that lets malicious users run local code, according to Israel's GreyMagic security consultants (proof of concept). Possible consequences range from theft of login and password to a remote takeover of the compromised machine. Reports indicate that Microsoft has patched the hole but Yahoo has yet to solve the problem. The vulnerability presumably affects Windows PC-based versions of Internet Explorer only. Some people might want to read this developerWorks article on how to prevent cross-site scripting and protect oneself, mentioned last month on Slashdot. More coverage at InternetNews and The Register.
Respect to MS for fixing the problem only 2 days later.
It's not the first and won't be the last IE exploit! Be prepared! Don't buy into the monoculture - use "second tier" software whenever possible. Mozilla Firefox is a fantastic free web browser with many security features and simple toggles. Eprompter is an excellent, simple, and free POP3\Hotmail\webmail client that lets you delete messages server-side before you open\view them.
Most important of all, keep up-to-date with Slashdot and other news services to stay aware of new vulnerabilities!
The reporter has it wrong.
ALL versions of IE *since* 5 contain this feature, which means that if there's a flaw in the filtering mechanism of the web-based email provider, script will run.
Yep, IE5, IE5.5 and IE6.
Sorry, but I'm not willing to get email with a service that supports the use of adware/scumware.
only works in IE5 though...
.
Well, that is what the article says, but the proof of concept page also works in IE 6.0 (6.0.2800.1106)
As it happens, provoked by receiving he Netsky virus embedded in an html email in Outlook that attempted to launch via an iframe, I happened to download Spybot Search and Destroy.
Using Spybot Search & Destroy, I found out about another Grey Magic discovered vulnerability, Executing arbitrary commands without Active Scripting or ActiveX. I also discovered that I'd apparently had an Alexa phone-home browser extension installed as a "Browser Helper Object" in IE, god knows for how long.
I've been using Mozilla FireWhatever for quite sometime, eschewing Internet Explorer except for those sites that don't work with IE or for testing my own sites in IE. But clearly, even a careful user with an up-to-date copy of IE and a firewall, isn't safe, principally because rather than concentrate on security and getting what they already have working securely, Microsoft prefers to pile on ever-accumulating layers of non-essential crap like HTML-TIME
I've no idea why someone thought that HTML-TIME, ostensibly for adding "timing and media synchronization support" to HTMl, required the ability to arbitrarily re-write pages. But clearly it's nothing that's desirable in an email.
My course is clear at this point: after repeated attempts, Microsoft still can't get it right, still cannot write a browser that's anywhere near secure. Crap like "HTML + TIME" is NOT worth the risks it brings with it -- especially when the risks are borne by the end-user in order to make life easier for (generally commercial) web site developers. Boycott IE, and boycott sites that only work in IE -- even if -- especially if, they use Microsoft extensions like "HTML + TIME".
Opinions on the Twiddler2 hand-held keyboard?
This is a bug in Hotmail and Yahoo's filtering of HTML and scripting code. Normally these sites strip any script code, but this is a new way of injecting arbitary script code into the HTML page Hotmail or Yahoo gives you showing the email you wanted to view.
An attacker could craft an HTML email that, when viewed in your inbox on Yahoo or Hotmail will execute some JavaScript or other script code from within the context of the Hotmail.com or Yahoo.com window. So it could do nasty things like deleting your messages automatically, forwaring your emails to another address, etc.
It does NOT allow your computer to execute native code unless the attack exploits some other browser-specific vulnerability.
Webmail will always be succeptible to these kinds of attacks if it does not carefully filter out HTML using any number of obscure features to insert malicious script in the Hotmail.com output.