New Hotmail Hack Evades Filters

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/01/169934.html

By Brian McWilliams, Newsbytes
REDMOND, WASHINGTON, U.S.A.,
10 Sep 2001, 4:19 PM CST
 
A new technique for attacking MSN Hotmail users has been discovered,
the latest in a cat-and-mouse game between Microsoft [NASDAQ:MSFT] and
Javascript security holes.

By adding Javascript to the "From" line of a message sent to a Hotmail
user, an attacker can evade the filters Microsoft has put in place to
protect the millions who rely on MSN's popular Web-based e-mail
service, Newsbytes has confirmed.

Microsoft representatives said the company was investigating the new
attack and declined further comment.

The technique, announced today on a security mailing list, doesn't
even require that the victim open the booby-trapped message.

According to a posting from Bart van Arnhem, a resident of the
Netherlands using the nickname "Oblivion," Hotmail takes the From
address on an incoming message and builds it into the HTML code for
displaying the Hotmail user's Inbox.

As a result, simply viewing the service's Inbox page will cause the
hostile Javascript to execute.

In an e-mail interview with Newsbytes, van Arnhem said that while
Hotmail allows any data to be inserted in the "From" line of incoming
messages, the service appears to be filtering Javascript from the
"Subject" line.

[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.