Advertisement
Promo

Security threats Toolkit

Microsoft fixes flaw capable of killing Hotmail

Published: 16 Oct 2003 10:45 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Responding to a warning from a maker of antivirus software, Microsoft has fixed a security flaw in Hotmail that would have left the widely used Web-based email service vulnerable to collapse at the hands of online vandals.

Finjan Software said on Wednesday that it told Microsoft of the flaw on 8 October and that the software giant fixed the problem within 24 hours. The vulnerability could have allowed an attacker to use the interactions between Hotmail components to expose a user's address book and send emails. The two functions could have been used to start a Hotmail worm that would have spread whenever a user opened up an infected email, said Menashe Eliezer, manager of Finjan's virus research lab.

"You could read the contact list and send email," Eliezer said. "A worm would have propagated quickly," potentially crippling the network.

Microsoft has been plagued by security concerns. In May, the company scrambled to close a hole in its Passport identity-management system, which acts as the gatekeeper for the Hotmail system and other Microsoft online services. The company recently announced new attempts to secure its customers' systems, including patches that are easier to manage, a focus on default security settings and an initiative to educate its users.

In the case of this most recent Hotmail flaw, the service's active content filter, which polices the activities of ActiveX controls, did not adequately block all scripts, according to Finjan. ActiveX controls are Internet programs that add interactivity to Web sites and run on a computer as if they were the user of that machine. Any system that accessed Hotmail email messages could be affected by the flaw.

Because the service itself was flawed, the fix was easy to apply and took effect immediately, Eliezer said.

Microsoft confirmed that it had received a warning from Finjan and fixed the flaw, but it wouldn't immediately comment on how the flaw escaped its nearly two-year effort, known as the Trustworthy Computing Initiative, to secure its systems.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with EPSON

Did you find this article useful?
58 out of 106 people found this useful


In association with Network Liberation Movement

Talkback

Post a comment


Full Talkback thread

4 comments

  1. Ever time I call up my hotmail acc'nt I can not ge... dave lockard
  2. I cannot access my hotmail account from Ie. After... smokeydog
  3. Since Dec 1st, I can't seem to get into my hotmail... Anonymous
  4. Evertime I try to go to Hotmail,nothing happens. I... Jannette Dalrymple

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:




Related BlackBerry Resources

Protecting the BlackBerry Device Platform Against Malware

BlackBerry Devices with Bluetooth - Security Overview

BlackBerry Enterprise Server IT Policy

BlackBerry Enterprise Solution - Security Technical Overview

BlackBerry Enterprise Solution and RSA SecurID

CIO's Guide to Mobile Security

See All White Papers

Video icon

Video

Sentry Posts Blog

DNA details of innocent will be kept f...

The government has announced that it plans to keep innocent people's DNA details for up to six years. In response to a consultation it launched last December, the government said... More

5 comments

Motorola Droid Drops Today: Happy Droi...

Motorola Droid Drops Today: Happy Droid Day America! Author: Eric Everson, Mobile Security Expert If you’re wondering what all of the buzz is about with words like Droid and Android... More

Post a comment

Mobile Security Profile: BlackBerry St...

Mobile Security Profile: BlackBerry Storm2 Author: Eric Everson BlackBerry handsets are a staple of office culture; from syncing calendars to sharing business-related data,... More

Post a comment


Skip Sub Navigation Links to CNET Brand Links

Help

Become part of the ZDNet community.

ALL TOOLKITS

Blogs

Newsletters