ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Security threats Toolkit

New Hotmail hole discovered

Steven J. Vaughan-Nichols ZDNet.co.uk

Published: 14 Sep 1999 09:06 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Just what the world didn't need: Another way to crack open Microsoft's beleaguered free, Web-based email system, Hotmail. But, that's exactly what noted Bulgarian bugfinder Georgi Guninski claims to have found.

Guninski, who has made a name for himself by finding security violations in browsers, has found that Hotmail enables Web-paged embedded Javascript code to run automatically.

This makes it possible for someone to write Web programs that could do anything from steal passwords to read others' mail. While it's long been known that active Web applets, whether written in ActiveX or Java, have the potential to pry open systems from the inside, this is the first case in which someone has shown that Hotmail is vulnerable to such attacks. Is this a purely theoretical hole or one that can only be used by crackers to attack users? The answer, unfortunately, is the latter: Correctly written JavaScript programs can, at the least, raid users' inboxes.

Microsoft is not claiming ownership of this latest problem. "This is not a Hotmail security issue. We see it as an example of people encouraging users to run malicious code on the Web," a Microsoft spokesperson said. "To protect yourself now, you can disable JavaScript, just disable it before using Hotmail, or do not open mail from unknown people when you think it might contain JavaScript," the spokesperson added. "Microsoft is investigating ways for Hotmail users to have greater security against threats posed by malicious use of JavaScript in email."

The latest Hotmail hole opens up because Hotmail doesn't handle the new HTML tag "STYLE." Java programmers and Webweavers use STYLE to insert JavaScript into HTML pages. The solution is to force Hotmail to handle STYLE in the same way it does ordinary JavaScript -- disabling it on arrival.

The fix may be simple, but the timing for Microsoft could not be worse. The latest Hotmail security breach follows by weeks a major Hotmail security meltdown. It took Microsoft hours to fix the problem, but millions of user accounts were left unprotected in the interim. Since that initial breach, the company has brought in TrustE and another auditing firm to help it head off future Hotmail security breaches.

Take me to the Hackers news special

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
43 out of 109 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats



Company/Topic Alerts

Create a new alert from the list below:








Related Jobs

JUNIOR JAVA DEVELOPER

HTML/CSS - JavaScript - Struts - Spring - Articulate with good writing skills - Healthy dose of common sense and initiative a plus. The role will ...

Front End Developer XHTML, CSS, Javascript, W3C

Front End Developer XHTML, CSS, Javascript, W3C Reports to Functional Head of Visual Design and relevant Project Manager Type of position: Perm ...

JavaScript / AJAX / Web 2.0 development role

They are using technologies such as XSLT, CSS and JavaScript and XML. They are looking for someone who is a VERY technically adept at JavaScript and ...

Featured Talkback

What was achieved there is recognised to be of fundamental importance to both winning the war (Churchill visited to say 'thank you' to them) and the development of the computer. Maybe Bill Gates doesn't want to support this museum because it underlines where electronic computing started i.e. here, not the U.S.

By: 1000103773

Read full story:
Bletchley Park faces bleak future

Sentry Posts Blog

Skype - The Roach Motel

Here is an interesting article from The National Business Review, pointing out once again that you can never delete a Skype account. Never. Period. This is something I am familiar... More

Post a comment

The vPhone: Why Visa Should Go Mobile

The vPhone: Why Visa Should Go Mobile Author: Eric Everson, Founder MyMobiSafe.com With all of the success of Apple’s iPhone, there is a growing case to support a company like Visa... More

Post a comment

The Google Apple Merger: Fantasy or Fu...

The Google Apple Merger: Fantasy or Future? Author: Eric Everson, Founder MyMobiSafe.com Market research suggests that Microsoft controls upwards of 90% of the respective computer-based... More

1 comment

Featured Oracle Resources

businessfirst: Ideas to help small companies retain their successful entrepreneurial spirit

Oracle ONE Magazine: Technology solutions for midsized businesses February 2008 edition

Choosing a Reliable and Powerful IT Infrastructure at a Price You Can Afford

Database Consolidation: Reducing Cost and Complexity

Ensuring Data Protection for Growing Business

Oracle for medium and emerging businesses: protect, strengthen and enhance your organisation

Oracle partner network solutions catalogue

See All White Papers