Yahoo and Hotmail Filter Flaw

gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."

Works only in IE5, though

[Noryungi]

Yep. Thank Mozilla for Firefox.

Seriously, folks -- I have said it before and I'll said it again -- do not use Microsoft products when it comes to the Internet.

If you care, even minimally, about security, then Firefox and Thunderbird should be installed by default on your Windows machine instead of Internet Explorer and Outlook.

This was the case in one of the companies I worked for, and they had almost zero virus problems in two years.

Re:Works only in IE5, though

[stubear]

I am so tired of hearing this crap. I use Outlook 2000, IE 6, IIS 5, and I use an MN-700 Wireless Router/Firewall. I have had only one "hacker" incident because I left my FTP site open to anonymous connections once. Big deal, I shut if off and voila, no more problem. My system runs 24/7 without a hitch. To boot, I'm a graphic designer, not an IT whiz.

Re:Hotmail evidently fixed

[Call+Me+Black+Cloud]

Yes, Hotmail was fixed in less than 2 days. That's impressive. You won't hear much about it because it's Microsoft. If Hotmail was open source you'd be reading posts trumpeting the superior open source development model. "See how we joined hands and overcame the problem quickly!"

Well, all I can say is: See how Microsoft worked with a (foreign) company and fixed the problem less than 2 days after hearing about it. This company is clearly focused on security.

Does it have Pay for POP3 access?

[Azureflare]

That's the whole reason I use yahoo. That and I get about 2 pieces of spam a week. I love yahoo, and I've had it for 6 years now. I got it when rocketmail and yahoo were still separate.

I love being able to use yahoo with pop3, I like it a lot better than my ISP email.

Also you know what's funny? myway.com is in my hosts file routed to 0.0.0.0. It's blocked from my computer, as a ad/spam domain. I unblocked it, and I can't see any features of myway on their site. It looks like an almost identical clone to yahoo. It goes back in the hosts file.

I think I'll stick with good ol' reliable yahoo. It's only been down once in the past two years.

BTW, I use linux, so I don't need to worry about this silly IE vulnerability. (I don't even use the webclient anyway).

Re:Only in IE5

[slycer9]

Yes, but have you ever noticed how techie polls usually DO show a higher percentage of non-IE users?

Methinks it's because techies don't use IE, (simple enough), rather than fewer people using IE.

The results are skewed simply by the nature of the site hosting the test. That'd be kind of like ISO.org hosting a poll asking whether or not their visitors were Linux users.

Open Source Projects vulnerable?

[jaylee7877]

According to the details I've seen on the exploit, it's not just Hotmail and Yahoo that are vulnerable but most webmail interfaces. Has anyone tested this against Horde and SquirrelMail?

You don't use IE but your friends might

[bug-eyed+monster]

A lot of people are saying "big deal, I don't use IE." Neither do I, nor do I use yahoo or hotmail for anything personal. But some of my friends only have a hotmail/yahoo account and use IE either because it's their only choice (at work), or they're too lazy to install, configure and learn to use a new browser.

Now the article says this security flaw allows "Content disclosure of any email in the mailbox." This means that if you have sent anything personal to any mailbox on yahoo or hotmail, this info might be vulnerable, even if you personally don't use IE. The recipient might use IE and get their inbox read by others.

Who is to blame, hmm?

[baafie]

If this flaw works only in IE5, then it is not a flaw in yahoo/hotmail, but just another IE exploit.

Re:Hotmail evidently fixed

[quantaman]

I don't really want to jump in on the open source vs. microsoft security debate here but I think there are a couple important points here, first you're talking about a sample size of 1 here for MS on the contrary most open source security holes I hear about on /. are patched in less than 2 days as well (sometimes hours though those patches don't always work:). But more important this isn't really in the same categories as other security holes, most holes are with microsoft products and there they can drag their feet in releasing a patch because even when the a member of the public has their machine comprimized by a virus (which the patch usually predates) they don't associate microsoft with the problem. A problem with affecting hotmail however is a problem with a microsoft service and thus would be immediatly associated with microsoft and would recieve a much higher priority in being fixed. Not to say that open source is better just that this isn't a good example to cmopare the two.

Re:Works only in IE5, though?

[bellings]

There are many posts here claiming the XSS bug is in IE, not in Hotmail or Yahoo. These posts were written by morons.

The point is, filtering HTML is a hard problem. Few sites get it 100% correct. To call a XSS bug in Hotmail an IE bug is to completely misunderstand the problem. Similarly, to call a page-widening bug an IE problem completely misses the point.

Should a user-agent render breaks at its own whim? Probably not. If a user-agent does not render spaces at its own whim, is it a bug? Probably not. If a "suprising" script language gets trhough the Hotmail filters, is it a bug in Hotmail or the user-agent? If a page widening post gets through slashdot, is it a bug in Slashdot or the user-agent?

Anyhow, go here to read how other people have looked at the problem. It is a solvable problem, and solving it could generally make for a better user experience here on slashdot. However, I don't see it happening any time soon, because Slashdot treats it as a bug in the user-agent.

Don't ask about open source projects!

[whoever57]

Don't ask that question: I was modded down, "Offtopic", for asking the exact same question!

Re:RTFA: *NOT* an IE bug.

[FireFury03]

Wrong!
(mostly).

While it's true that this is a filtering bug in Hotmail and Yahoo, the reason it's a problem is because "It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction.

So once again, the web designers have to work around IE's non-standards compliance.

Is not people like you that worries me.

[jotaeleemeese]

Since obviosuly you have half a clue about what you are doing.

For the people that have got not a clue, the recommendation of the poster preceding your post is timely and accurate.

Re:RTFA: *NOT* an IE bug.

[FireFury03]

I would've thought it obvious that the non-standard feature should never have been implemented to start with.

Besides, MS have shown in the past that they're happy to completely remove completely standard features that have completely legitimate uses rather than just fixing the bug that makes them dangerous, so why should they find removing a nonstandard feature any more of a problem?

Microsoft have cornered the market with a bugridden browser that they have no motivation to improve by bundling it with standard windows - no web developer wants to alienate 95% of their visitors by refusing to support such a broken piece of software, so web developers are stuck in the continual situation of having to work around the bugs in IE rather than using all those cool features that every other browser supports (and have supported for a long time).

Re:Only in IE5

[bullfighter6]

You missed the point of the precious poster. He was refering to version 5 of IE. Accounting all versions of IE, their share is [unfortunately] more than 90% over other browsers. Here you can find a complete breakdown of all browsers and versions of a generalistic (i.e. non techie) site to prove this. Also there's some interesting info regarding new device's browsers, like there's more hits from Sony/Ericsson Browser (PDA/Phone browser) than from MS IE 3 and way more than StarOffice.

Re:IE vs. Open Systems and Standards

[Qybix]

Not to be overly critial of M$, but they have NOT fixed ie... They have fixed hotmail instead, and left ie unfixed so that other web sites and e-mail providers can still be at the mercy of this problem. M$ would/will never fix ie so long as leaving it unfixed will hurt someone else as much or more than them. When you deal with M$ you are not dealing with an intellegece, you are dealing with an instinct.

READ the link carefully! M$ has done nothing to stop either threat: Not the initial {html blah blah blah} threat, or the {?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time" /}
{?import namespace="t" implementation="#default#time2"} threat.

NOTHING HAS BEEN FIXED...

Note: { used instead of