New Hotmail hole discovered

[mea culpa <jericho () DIMENSIONAL COM>]

From: Robert Kemp <sensuant () hotmail com>

http://www.zdnet.com

New Hotmail hole discovered

Javascript can be used to jimmy open Hotmail accounts, bugfinder says.
'This is not a security issue,' Microsoft says.

By Steven J. Vaughan-Nichols, Sm@rt Reseller September 13, 1999 3:50 PM PT

Just what the world didn't need: Another way to crack open Microsoft's
beleaguered free, Web-based e-mail system, Hotmail. But, that's exactly
what noted Bulgarian bugfinder Georgi Guninski claims to have found.

Guninski, who has made a name for himself by finding security violations
in browsers, has found that Hotmail enables Web-paged embedded Javascript
code to run automatically

This makes it possible for someone to write Web programs that could do
anything from steal passwords to read others' mail. While it's long been
known that active Web applets, whether written in ActiveX or Java, have
the potential to pry open systems from the inside, this is the first case
in which someone has shown that Hotmail is vulnerable to such attacks.

Not just a theoretical hole:  Is this a purely theoretical hole or one
that can only be used by crackers to attack users? The answer,
unfortunately, is the latter: Correctly written JavaScript programs can,
at the least, raid users' inboxes.

Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem.
"This is not a Hotmail security issue. We see it as an example of people
encouraging users to run malicious code on the Web," a Microsoft
spokesperson said.


"To protect yourself now, you can disable JavaScript, just disable it
before using Hotmail, or do not open mail from unknown people when you
think it might contain JavaScript," the spokesperson added. "Microsoft is
investigating ways for Hotmail users to have greater security against
threats posed by malicious use of JavaScript in e-mail."

[snip...]

ISN is sponsored by Security-Focus.COM