Yahoo and Hotmail Filter Flaw

gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."

Works only in IE5, though

[Noryungi]

Yep. Thank Mozilla for Firefox.

Seriously, folks -- I have said it before and I'll said it again -- do not use Microsoft products when it comes to the Internet.

If you care, even minimally, about security, then Firefox and Thunderbird should be installed by default on your Windows machine instead of Internet Explorer and Outlook.

This was the case in one of the companies I worked for, and they had almost zero virus problems in two years.

Re:Hotmail evidently fixed

[Call+Me+Black+Cloud]

Yes, Hotmail was fixed in less than 2 days. That's impressive. You won't hear much about it because it's Microsoft. If Hotmail was open source you'd be reading posts trumpeting the superior open source development model. "See how we joined hands and overcame the problem quickly!"

Well, all I can say is: See how Microsoft worked with a (foreign) company and fixed the problem less than 2 days after hearing about it. This company is clearly focused on security.

Does it have Pay for POP3 access?

[Azureflare]

That's the whole reason I use yahoo. That and I get about 2 pieces of spam a week. I love yahoo, and I've had it for 6 years now. I got it when rocketmail and yahoo were still separate.

I love being able to use yahoo with pop3, I like it a lot better than my ISP email.

Also you know what's funny? myway.com is in my hosts file routed to 0.0.0.0. It's blocked from my computer, as a ad/spam domain. I unblocked it, and I can't see any features of myway on their site. It looks like an almost identical clone to yahoo. It goes back in the hosts file.

I think I'll stick with good ol' reliable yahoo. It's only been down once in the past two years.

BTW, I use linux, so I don't need to worry about this silly IE vulnerability. (I don't even use the webclient anyway).

Open Source Projects vulnerable?

[jaylee7877]

According to the details I've seen on the exploit, it's not just Hotmail and Yahoo that are vulnerable but most webmail interfaces. Has anyone tested this against Horde and SquirrelMail?

You don't use IE but your friends might

[bug-eyed+monster]

A lot of people are saying "big deal, I don't use IE." Neither do I, nor do I use yahoo or hotmail for anything personal. But some of my friends only have a hotmail/yahoo account and use IE either because it's their only choice (at work), or they're too lazy to install, configure and learn to use a new browser.

Now the article says this security flaw allows "Content disclosure of any email in the mailbox." This means that if you have sent anything personal to any mailbox on yahoo or hotmail, this info might be vulnerable, even if you personally don't use IE. The recipient might use IE and get their inbox read by others.

Who is to blame, hmm?

[baafie]

If this flaw works only in IE5, then it is not a flaw in yahoo/hotmail, but just another IE exploit.

Re:Hotmail evidently fixed

[quantaman]

I don't really want to jump in on the open source vs. microsoft security debate here but I think there are a couple important points here, first you're talking about a sample size of 1 here for MS on the contrary most open source security holes I hear about on /. are patched in less than 2 days as well (sometimes hours though those patches don't always work:). But more important this isn't really in the same categories as other security holes, most holes are with microsoft products and there they can drag their feet in releasing a patch because even when the a member of the public has their machine comprimized by a virus (which the patch usually predates) they don't associate microsoft with the problem. A problem with affecting hotmail however is a problem with a microsoft service and thus would be immediatly associated with microsoft and would recieve a much higher priority in being fixed. Not to say that open source is better just that this isn't a good example to cmopare the two.

Re:RTFA: *NOT* an IE bug.

[FireFury03]

Wrong!
(mostly).

While it's true that this is a filtering bug in Hotmail and Yahoo, the reason it's a problem is because "It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction.

So once again, the web designers have to work around IE's non-standards compliance.

Re:RTFA: *NOT* an IE bug.

[FireFury03]

I would've thought it obvious that the non-standard feature should never have been implemented to start with.

Besides, MS have shown in the past that they're happy to completely remove completely standard features that have completely legitimate uses rather than just fixing the bug that makes them dangerous, so why should they find removing a nonstandard feature any more of a problem?

Microsoft have cornered the market with a bugridden browser that they have no motivation to improve by bundling it with standard windows - no web developer wants to alienate 95% of their visitors by refusing to support such a broken piece of software, so web developers are stuck in the continual situation of having to work around the bugs in IE rather than using all those cool features that every other browser supports (and have supported for a long time).