Yahoo and Hotmail Filter Flaw

gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."

Works only in IE5, though?

[slycer9]

Surely that's gotta be wrong! A security hole in IE???
No freakin' WAY!?

Re:Works only in IE5, though?

[xpl_the_myst]

And this is the reason it works only in IE5. Non-standard methods :

However, Hotmail completely filters out that element, so another method of namespace declaration is needed. It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction, which may be used anywhere in the document and does not get filtered.

Re:Works only in IE5, though?

[NickFitz]

I just tried it on IE6, and it works there too - should have said "IE5 upwards", I suppose.

(For those who don't know, MS's versioning is so bizarre that IE5 and IE5.5 are different in more than minor version number, while IE6 is pretty much IE5.5.1. No, I don't understand either; but I'm always glad of a reminder of why I use a Mac these days :-)

Better free email

[Patik]

Try myway.com. It's basically a Yahoo clone, only it doesn't have any banners or popups, and you barely need to put in any information when you sign up -- not even a separate email address.

Myway is also great as a portal or homepage, it's much more customizeable than any other site I've seen, and again, no banners or popups.

You can also read all AP and Reuters stories with no registration, and there's partner links to NY Times and other reg-req'd sites (great for submitting articles to Slashdot).

phew...

[rajinder]

...almost paniced, then I noticed:

only works in IE5 though...

hmm... <mouseGesture>down-right</mouseGesture&gt ;

Re:phew...

[orthogonal]

only works in IE5 though...

Well, that is what the article says, but the proof of concept page also works in IE 6.0 (6.0.2800.1106)

As it happens, provoked by receiving he Netsky virus embedded in an html email in Outlook that attempted to launch via an iframe, I happened to download Spybot Search and Destroy.

Using Spybot Search & Destroy, I found out about another Grey Magic discovered vulnerability, Executing arbitrary commands without Active Scripting or ActiveX. I also discovered that I'd apparently had an Alexa phone-home browser extension installed as a "Browser Helper Object" in IE, god knows for how long.

I've been using Mozilla FireWhatever for quite sometime, eschewing Internet Explorer except for those sites that don't work with IE or for testing my own sites in IE. But clearly, even a careful user with an up-to-date copy of IE and a firewall, isn't safe, principally because rather than concentrate on security and getting what they already have working securely, Microsoft prefers to pile on ever-accumulating layers of non-essential crap like HTML-TIME .

I've no idea why someone thought that HTML-TIME, ostensibly for adding "timing and media synchronization support" to HTMl, required the ability to arbitrarily re-write pages. But clearly it's nothing that's desirable in an email.

My course is clear at this point: after repeated attempts, Microsoft still can't get it right, still cannot write a browser that's anywhere near secure. Crap like "HTML + TIME" is NOT worth the risks it brings with it -- especially when the risks are borne by the end-user in order to make life easier for (generally commercial) web site developers. Boycott IE, and boycott sites that only work in IE -- even if -- especially if, they use Microsoft extensions like "HTML + TIME".

new spamming opportunity

[laugau]

Just have the malicious code make the browser go to my viagra site and force the user to buy 10 cases. That would make me an ULTRA spammer.

Once I do this, I will be able to afford that sould I've been eying on eBay all week.

Another reason

to use Mozilla, Konqueror, Opera, et al instead of IE.

Hotmail evidently fixed

[Strudelkugel]

"Solution: GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation. All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date. "

Re:Hotmail evidently fixed

[Call+Me+Black+Cloud]

Yes, Hotmail was fixed in less than 2 days. That's impressive. You won't hear much about it because it's Microsoft. If Hotmail was open source you'd be reading posts trumpeting the superior open source development model. "See how we joined hands and overcame the problem quickly!"

Well, all I can say is: See how Microsoft worked with a (foreign) company and fixed the problem less than 2 days after hearing about it. This company is clearly focused on security.

Re:Hotmail evidently fixed

[quantaman]

I don't really want to jump in on the open source vs. microsoft security debate here but I think there are a couple important points here, first you're talking about a sample size of 1 here for MS on the contrary most open source security holes I hear about on /. are patched in less than 2 days as well (sometimes hours though those patches don't always work:). But more important this isn't really in the same categories as other security holes, most holes are with microsoft products and there they can drag their feet in releasing a patch because even when the a member of the public has their machine comprimized by a virus (which the patch usually predates) they don't associate microsoft with the problem. A problem with affecting hotmail however is a problem with a microsoft service and thus would be immediatly associated with microsoft and would recieve a much higher priority in being fixed. Not to say that open source is better just that this isn't a good example to cmopare the two.

Re:Only in IE5

[(54)T-Dub]

Yeah according to this site (linked from yahoo) on browser statistics IE 5 only makes up 11% of the market.

Works only in IE5, though

[Noryungi]

Yep. Thank Mozilla for Firefox.

Seriously, folks -- I have said it before and I'll said it again -- do not use Microsoft products when it comes to the Internet.

If you care, even minimally, about security, then Firefox and Thunderbird should be installed by default on your Windows machine instead of Internet Explorer and Outlook.

This was the case in one of the companies I worked for, and they had almost zero virus problems in two years.

Attacking my Hotmail Account

[Kjuib]

If they are going to attack my Hotmail Account they are up for a fight! Pr0n and Viagra have a firm hold, and it is going to take a lot to beat them to my Inbox.

alternatives

[preric]

hmm... should this have been 'news'? most people (well, at least on here) know of sites like Hushmail which offer much better (and still free) security for web-based email. Hotmail and Yahoo are... well, about as secure as windows :)

Does it have Pay for POP3 access?

[Azureflare]

That's the whole reason I use yahoo. That and I get about 2 pieces of spam a week. I love yahoo, and I've had it for 6 years now. I got it when rocketmail and yahoo were still separate.

I love being able to use yahoo with pop3, I like it a lot better than my ISP email.

Also you know what's funny? myway.com is in my hosts file routed to 0.0.0.0. It's blocked from my computer, as a ad/spam domain. I unblocked it, and I can't see any features of myway on their site. It looks like an almost identical clone to yahoo. It goes back in the hosts file.

I think I'll stick with good ol' reliable yahoo. It's only been down once in the past two years.

BTW, I use linux, so I don't need to worry about this silly IE vulnerability. (I don't even use the webclient anyway).

Re:Does it have Pay for POP3 access?

[JPriest]

I have to agree with you here, I too have had been using yahoo mail since rocketmail. Yahoo notepad is another reason I like yahoo mail so much, I don't have to keep emailing myself small bits of information.

Re:Does it have Pay for POP3 access?

[krosk]

FYI - POP3 access is only available for Yahoo! if you pay for. I forget what the actual yearly costs are, probably around $30. However, Yahoo!POPs is freeware that you can access your Yahoo! mail on. It sets up a localhost for the SMTP and POP3 server, and it remotely accesses yahoo! and translates the HTML email pages. Very incredible free program!

Re:Does it have Pay for POP3 access?

[afidel]

So what. Just because you run windows doesn't mean you have to use IE. In fact I make my living supporting Windows and Netware and I run IE only when absolutly necessary (mostly to test out problems my clients are having with it). The rest of the time I run Mozilla for both browsing and email.

More details for those interested

[securitas]

Tried submitting this a couple of times since yesterday but the submission system seems to have picked up a few bugs of its own where it says "Thanks for the submission" but nothing shows up in the queue. Here are the details...

Yahoo, Hotmail Users Vulnerable to XSS PC Attack

Both Yahoo Web e-mail and Microsoft Hotmail are vulnerable to an Internet Explorer cross-site scripting (XSS) attack that lets malicious users run local code, according to Israel's GreyMagic security consultants (proof of concept). Possible consequences range from theft of login and password to a remote takeover of the compromised machine. Reports indicate that Microsoft has patched the hole but Yahoo has yet to solve the problem. The vulnerability presumably affects Windows PC-based versions of Internet Explorer only. Some people might want to read this developerWorks article on how to prevent cross-site scripting and protect oneself, mentioned last month on Slashdot. More coverage at InternetNews and The Register.

Sticking with "Old Faithful" is asking for trouble

[spyrochaete]

Respect to MS for fixing the problem only 2 days later.

It's not the first and won't be the last IE exploit! Be prepared! Don't buy into the monoculture - use "second tier" software whenever possible. Mozilla Firefox is a fantastic free web browser with many security features and simple toggles. Eprompter is an excellent, simple, and free POP3\Hotmail\webmail client that lets you delete messages server-side before you open\view them.

Most important of all, keep up-to-date with Slashdot and other news services to stay aware of new vulnerabilities!

Not only IE5

The reporter has it wrong.

ALL versions of IE *since* 5 contain this feature, which means that if there's a flaw in the filtering mechanism of the web-based email provider, script will run.

Yep, IE5, IE5.5 and IE6.

Myway uses adware.

[Azureflare]

I just did a google search and came up with this:: MyWay Speedbar

Sorry, but I'm not willing to get email with a service that supports the use of adware/scumware.

Re:Myway uses adware.

[geekoid]

Thats why you don't have to enter much information when you sign up. It gets it for you..it's a feature...yeah, thats it.

Re:Myway uses adware.

[HD+Webdev]

Sorry, but I'm not willing to get email with a service that supports the use of adware/scumware.

I looked at the linked page, but although it made several accusations, it almost, but not quite, actually backs up those accusations with facts. It's rather vague. For instance, the "How does it Violate Privacy?" doesn't say how it violates privacy. WTF?

What's strange also is that in contrast to the article, the ratings are as low as possible. All of them are:

"1 - The lowest on the scale of 1 to 5, exhibiting a few potentially harmful or scummy traits with little effect on the end user.".

vim would receive the same ratings.

I'd never looked at the scumware site until now, but I do hope that their reviews more often than not include some useful information. I'd like to have an informative scumware site to look information up at.

interesting tidbit from the article

[Cyberllama]

GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation.

Wow...I'm actually sort of impressed that Microsoft fixed a vulnerabillity in their product that was pointed out to them in email, rather than ignoring it until it blew up in their face. . .

Open Source Projects vulnerable?

[jaylee7877]

According to the details I've seen on the exploit, it's not just Hotmail and Yahoo that are vulnerable but most webmail interfaces. Has anyone tested this against Horde and SquirrelMail?

You don't use IE but your friends might

[bug-eyed+monster]

A lot of people are saying "big deal, I don't use IE." Neither do I, nor do I use yahoo or hotmail for anything personal. But some of my friends only have a hotmail/yahoo account and use IE either because it's their only choice (at work), or they're too lazy to install, configure and learn to use a new browser.

Now the article says this security flaw allows "Content disclosure of any email in the mailbox." This means that if you have sent anything personal to any mailbox on yahoo or hotmail, this info might be vulnerable, even if you personally don't use IE. The recipient might use IE and get their inbox read by others.

Who is to blame, hmm?

[baafie]

If this flaw works only in IE5, then it is not a flaw in yahoo/hotmail, but just another IE exploit.

IE vs. Open Systems and Standards

[MrChuck]

So it only works against IE. An older version of IE. On windows. Oh lawdy lawdy! Alert the press!

Well, like most /. folk, I'm using Firefox on BSD on an SPARC.

If you lets your friends and relatives use Windows and IE, then you are only harming them (and the rest of us who get slammed by their viruses trying to break mutt on my machine).

Take the needle out. Put down the crack pipe.

Really, the web took off because it was platform independent and full of juicy goodness.

"Must us IE" or "best used with IE" means that they should STOP using http to transfer their garbage and only serve on MSN.

Really. The web sucked the business out of Compuserve for a good reason. Open Platforms and Open Standards were the big attraction. Remember?

---
During the myDoom.* fest, I asked our SVP about looking at deploying Linux on the desktop for users who don't truly actually REQUIRE MS and MS tools.
He asked if I "thought Linux was ready for the desktop here."
"Hmmm," said I, "I'm not 100%. But do you think Windows is?"

Re:IE vs. Open Systems and Standards

[mek2600]

Well, like most /. folk, I'm using Firefox on BSD on an SPARC.

Man, I didn't realize I was so lame. I didn't know most people on /. used SPARCs.

Re:Where is the flaw?

[jaylee7877]

The problem is not that the script is getting executed in your browser but that it is a script from an email getting sent and executed by your browser. Most mail clients by default have scripting disabled because a malicious email can do some nasty things like steal your address book or confirm your email account is active to a spammer. It's the Webmail server's job to prevent scripts from being executed, not the browsers.

I probably should point out...

[Klatoo55]

That Yahoo and Hotmail are pretty much the most used/spammed services out there, and therefore will have their security holes pinponted sooner than lesser-known services. Doesn't mean that the lesser knowns are more secure, just blissfully ignorant. Something to ponder...

What about IMP and squirrelmail?

[whoever57]

Do they also need fixes?

RTFA: *NOT* an IE bug.

[Jack+Porter]

This is a bug in Hotmail and Yahoo's filtering of HTML and scripting code. Normally these sites strip any script code, but this is a new way of injecting arbitary script code into the HTML page Hotmail or Yahoo gives you showing the email you wanted to view.

An attacker could craft an HTML email that, when viewed in your inbox on Yahoo or Hotmail will execute some JavaScript or other script code from within the context of the Hotmail.com or Yahoo.com window. So it could do nasty things like deleting your messages automatically, forwaring your emails to another address, etc.

It does NOT allow your computer to execute native code unless the attack exploits some other browser-specific vulnerability.

Webmail will always be succeptible to these kinds of attacks if it does not carefully filter out HTML using any number of obscure features to insert malicious script in the Hotmail.com output.

Re:RTFA: *NOT* an IE bug.

[FireFury03]

Wrong!
(mostly).

While it's true that this is a filtering bug in Hotmail and Yahoo, the reason it's a problem is because "It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction.

So once again, the web designers have to work around IE's non-standards compliance.

Re:RTFA: *NOT* an IE bug.

[FireFury03]

I would've thought it obvious that the non-standard feature should never have been implemented to start with.

Besides, MS have shown in the past that they're happy to completely remove completely standard features that have completely legitimate uses rather than just fixing the bug that makes them dangerous, so why should they find removing a nonstandard feature any more of a problem?

Microsoft have cornered the market with a bugridden browser that they have no motivation to improve by bundling it with standard windows - no web developer wants to alienate 95% of their visitors by refusing to support such a broken piece of software, so web developers are stuck in the continual situation of having to work around the bugs in IE rather than using all those cool features that every other browser supports (and have supported for a long time).

Version numbers are almost meaningless

[Prof.+Pi]

IE5 and IE5.5 are different in more than minor version number, while IE6 is pretty much IE5.5.1.

When I worked for a VLSI team in Boston in the late eighties, our CAD vendor had a support contract which promised one major release a year. But it was almost a year since version 4.0, and their new release wasn't ready. So they just patched their latest release (4.2) with some bug fixes and a few minor features, and shipped it as 5.0. Everyone could see it was basically the same as 4.0 + patches.

When version 5.1 came out a few months later, that was a huge change over 5.0! They replaced their standard menu-for-newbies + hotkeys-for-experts interface with the most hideous UI I've ever had the misfortune of using. It was based on "mouse gestures." You were supposed to "draw" a D with your mouse to delete a selected object, for instance. Half the time it would get the wrong gesture. Our productivity dropped precipitously, but because the 5.0 release had been rushed, there were bugs that were fixed in 5.1 and we couldn't work with the 5.0. So many customers complained that they quickly came out with 5.2, which was just 5.0 with the known bugs fixed.

So I've learned that the positions of the digits don't necessarily mean anything. Hell, you can't even assume monotonicity all the time!