Slashdot Mirror

← Back to Stories (view on slashdot.org)

Yahoo and Hotmail Filter Flaw

Posted by CowboyNeal on from the shields-up-and-drop-to-impulse dept.

gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."

15 of 250 comments (clear)

  1. Only in IE5 by Hanzie · · Score: 2, Interesting

    Had me worried there for a second.

    Still, I've got friends who run IE, and now they'll have incentive to learn the true joys of Mozilla FireFox.

    Thanks for the heads-up.

    hanzie

    --
    ********* sig: If you don't like the law, get filthy stinking rich, and buy a better one.
  2. Another reason by Anonymous Coward · · Score: 3, Interesting

    to use Mozilla, Konqueror, Opera, et al instead of IE.

  3. interesting tidbit from the article by Cyberllama · · Score: 3, Interesting

    GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation.

    Wow...I'm actually sort of impressed that Microsoft fixed a vulnerabillity in their product that was pointed out to them in email, rather than ignoring it until it blew up in their face. . .

  4. Where is the flaw? by asmellysock · · Score: 2, Interesting

    If it lets scripts run on a client, why is this considered a flaw in hotmail/yahoo rather than a flaw in IE? I tried reading the article, but I am not that familiar with HTML and scripting.

  5. IE vs. Open Systems and Standards by MrChuck · · Score: 3, Interesting
    So it only works against IE. An older version of IE. On windows. Oh lawdy lawdy! Alert the press!

    Well, like most /. folk, I'm using Firefox on BSD on an SPARC.

    If you lets your friends and relatives use Windows and IE, then you are only harming them (and the rest of us who get slammed by their viruses trying to break mutt on my machine).

    Take the needle out. Put down the crack pipe.

    Really, the web took off because it was platform independent and full of juicy goodness.

    "Must us IE" or "best used with IE" means that they should STOP using http to transfer their garbage and only serve on MSN.

    Really. The web sucked the business out of Compuserve for a good reason. Open Platforms and Open Standards were the big attraction. Remember?

    ---
    During the myDoom.* fest, I asked our SVP about looking at deploying Linux on the desktop for users who don't truly actually REQUIRE MS and MS tools.
    He asked if I "thought Linux was ready for the desktop here."
    "Hmmm," said I, "I'm not 100%. But do you think Windows is?"

  6. I probably should point out... by Klatoo55 · · Score: 4, Interesting

    That Yahoo and Hotmail are pretty much the most used/spammed services out there, and therefore will have their security holes pinponted sooner than lesser-known services. Doesn't mean that the lesser knowns are more secure, just blissfully ignorant. Something to ponder...

    --
    ------- "A true friend stabs you in the front." -Eliot
  7. Don't attribute speediness to the business model by Azureflare · · Score: 2, Interesting
    Attribute that speediness to the techs who are on the ball and paying attention to vulnerabilities. You can't say that good techs are only limited to proprietary business models or open source. In the end, it boils down to the quality of people who are on the job.

    You say this company is clearly focused on security; well, it should be, after all the trouble Microsoft has been through recently (all those exploits for windows that were, needless to say, pretty major).

    Whatever people may say, Microsoft has got a lot of money. Money usually means that you can pay for important things. It is good to see that Microsoft isn't totally slacking and letting things go to rot.

    I would expect the same of IBM and Sun.

  8. Re:phew... by Safety+Cap · · Score: 2, Interesting
    Boycott IE, and boycott sites that only work in IE ~.
    You're advocating boycotting the POS browser that at least 95% of people use. While a noble cause, IE is here to stay, warts, bugs 'n all. The best you can probably do it get your friends/family converted (no more popups!), but corp America won't go for it, and neither will Grandmaw who can't install jack shit (except for gator and hotbar, of course).

    If only FireFox would take a page from these slimebags and make it as easy to install the better browser as it is to install Hotbar. We could get way more people converted that way.

    --
    Yeah, right.
  9. What about IMP and squirrelmail? by whoever57 · · Score: 4, Interesting

    Do they also need fixes?

    --
    The real "Libtards" are the Libertarians!
  10. Re:Does it have Pay for POP3 access? by afidel · · Score: 3, Interesting

    So what. Just because you run windows doesn't mean you have to use IE. In fact I make my living supporting Windows and Netware and I run IE only when absolutly necessary (mostly to test out problems my clients are having with it). The rest of the time I run Mozilla for both browsing and email.

    --
    There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order. Starting now.
  11. Re:Works only in IE5, though? by Anonymous Coward · · Score: 2, Interesting

    Here's a question: What are the odds that this came to the surface due to the leaked source code? It contained code from IE 5 IIRC...

  12. Hotmail Down on March 12 by Pinky3 · · Score: 1, Interesting

    Remember that Hotmail was down on Friday March 12.

    This is the time when Microsoft was working on the fix. Could the two events be related?

  13. Re:Who is to blame, hmm? by ad0gg · · Score: 2, Interesting
    Its filter bypass bug in hotmail and yahoo, its not exploiting anything. If you allow people to write content to your webpage, you better filter the for html,javacsript etc especially with javascript where I could programatically go through all the elements on webpage and send it back to me be it mozilla or ie.

    I still want to know how they would get username/password with javascript. Only way I could think of is to write my own fake loggin screen.

    --

    Have you ever been to a turkish prison?

  14. Version numbers are almost meaningless by Prof.+Pi · · Score: 4, Interesting
    IE5 and IE5.5 are different in more than minor version number, while IE6 is pretty much IE5.5.1.

    When I worked for a VLSI team in Boston in the late eighties, our CAD vendor had a support contract which promised one major release a year. But it was almost a year since version 4.0, and their new release wasn't ready. So they just patched their latest release (4.2) with some bug fixes and a few minor features, and shipped it as 5.0. Everyone could see it was basically the same as 4.0 + patches.

    When version 5.1 came out a few months later, that was a huge change over 5.0! They replaced their standard menu-for-newbies + hotkeys-for-experts interface with the most hideous UI I've ever had the misfortune of using. It was based on "mouse gestures." You were supposed to "draw" a D with your mouse to delete a selected object, for instance. Half the time it would get the wrong gesture. Our productivity dropped precipitously, but because the 5.0 release had been rushed, there were bugs that were fixed in 5.1 and we couldn't work with the 5.0. So many customers complained that they quickly came out with 5.2, which was just 5.0 with the known bugs fixed.

    So I've learned that the positions of the digits don't necessarily mean anything. Hell, you can't even assume monotonicity all the time!

  15. Re:huh? by Anonymous Coward · · Score: 1, Interesting
    Bug only present in 5.0 and fixed in 5.5. When was that out, somewhere in 2001 ?
    I wonder why we never see articles blasting Linus for a bug that was fixed somewhere in the 2.3 development tree years after the fact.

    But hey, that's shashdot. User clicks EXE file in an email - massive critisism of Windows security.
    Remote Root vulnerability fixed in new Linux 2.6.3 kernel - never made it to the frontpage. If you use Linux you are supposed to read webpages or mailing lists daily and apply patches at least once a week. If you leave your Linux box online while you're gone a few days, there's always a chance that a new exploit is found and a 13-year old 0wn0r3z Y00 when you get back.