Information Security News mailing list archives
Re: New Hotmail hole discovered
From: mea culpa <jericho () DIMENSIONAL COM>
Date: Thu, 16 Sep 1999 12:58:10 -0600
Reply From: Jason Axley <jason.axley () attws com>
Date: Wed, 15 Sep 1999 20:37:50 -0600 From: mea culpa <jericho () DIMENSIONAL COM> Subject: [ISN] New Hotmail hole discovered From: Robert Kemp <sensuant () hotmail com> http://www.zdnet.com New Hotmail hole discovered Javascript can be used to jimmy open Hotmail accounts, bugfinder says. 'This is not a security issue,' Microsoft says.
[details omitted to emphasize the irresponsible views of Microsoft]
Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem. "This is not a Hotmail security issue. We see it as an example of people encouraging users to run malicious code on the Web," a Microsoft spokesperson said. "To protect yourself now, you can disable JavaScript, just disable it before using Hotmail, or do not open mail from unknown people when you think it might contain JavaScript," the spokesperson added. "Microsoft is investigating ways for Hotmail users to have greater security against threats posed by malicious use of JavaScript in e-mail."
This _is_ a real security issue in hotmail. That said, I can't believe: 1) that MS would claim that it is not their problem that their hotmail software allows javascript to creep into emails. They just aren't filtering it out from all possible places. 2) That they blame the finders of the problem (i.e. kill the messenger) for "encouraging users to run malicious code on the web" rather than taking responsibility for it. 3) Additionally, they still are claiming that it is the user's problem if they do not disable javascript before going to hotmail (as if they are supposed to know to do that or be expected to do so) and they claim that users should know to not open emails from unknown sources. This is ridiculous posturing. If all security was left in the hands of users--how secure would we be? Scary thought. MS had taken several steps forward in their handling of security problems. With this, they may have taken a giant leap backwards. Now, in Microsoft's defense, the question to ask of zdnet is "Who is your source?" "A Microsoft spokesperson" is not very descriptive, nor does it indicate that this individual is qualified to be making these statements. I challenge zdnet to back up their story... -Jason AT&T Wireless Services IT Security UNIX Security Operations Specialist ISN is sponsored by Security-Focus.COM
Current thread:
- New Hotmail hole discovered mea culpa (Sep 16)
- <Possible follow-ups>
- Re: New Hotmail hole discovered mea culpa (Sep 16)