By Andrew Craig,
Users of Microsoft's Hotmail free e-mail service could be tricked into disclosing their user names and passwords to malicious Internet users because of a security hole made public Monday.
The flaw was discovered by engineers at Canadian network reseller Specialty Installations. The engineers posted details Monday of a piece of JavaScript code -- dubbed the "Hot"Mail -- that could be used to show names and passwords of any user of the Hotmail service.
Malicious users can exploit "Hot"Mail by sending an e-mail message containing the JavaScript code to a Hotmail user. When the user reads the message, the JavaScript is activated and forces the user to log in again. The password and user name entered are automatically e-mailed to the malicious user.
JavaScript is a scripting language used to create data-entry forms, pop-up boxes, and other features in Web browsers. Despite the similar name, JavaScript is different from Java.
Redmond, Wash.-based Microsoft said Tuesday it has applied a fix to its Hotmail servers to filter out messages containing JavaScript. A permanent fix to prevent other messages containing potentially harmful scripts will follow.
"Hotmail is devoting significant resources to fixing this and will do so as quickly as possible," Microsoft said in a statement. Hotmail users are advised not to open mail from unknown sources, and not to re-enter their user name and password if given a log-off prompt while using the service.
Tools such as JavaScript and ActiveX are powerful and can be dangerous, according to security consultant Nik Knoth, at SRI Consulting in London. "Active content -- content made to be executable rather than just looked at -- will let you do all kinds of dangerous things," he said.
The information was released, "in the belief that when the public is aware of serious security problems, expedient measures are taken by software manufacturers to solve those problems," according to Tom Cervenka, a Specialty Installations engineer, in an e-mail posted to the BugTraq security mailing list Monday.
Hotmail and other free Web-based e-mail service providers, such as USA.Net, said they are investigating the problem. Services that use filters to prevent JavaScript from being transmitted in e-mail messages, such as Yahoo Mail, are not thought to be vulnerable to the problem.
The code can affect anyone who accesses their Hotmail account using a JavaScript-compatible browser, such as Microsoft Internet Explorer or Netscape Navigator. To protect themselves, users should turn off JavaScript in the Web browsers' preferences section.
"Hot"Mail is one of many JavaScript-based pieces of code that could be executed against users of free e-mail services that don't filter messages to prevent the transfer of JavaScript, according to the engineers. They urged Hotmail to introduce JavaScript filters in its service.
Try TechWeb's RSS Feed!ISIS Papyrus America seeking Software Pre-Sales Analyst in Southlake, TX
Agilent Technologies seeking Business Manager in Bangalore, IN
Covidien seeking Principal Validation Test in Boulder, CO
T-Mobile seeking Unified Subscriber Database Engr in Bellevue, WA
20th Century Fox seeking Sr. Production Software Engineer in Los Angeles, CA
For more great jobs, career-related news, features and services, please visit our Career Center.
TechWeb's FREE e-mail newsletters deliver the news you need to come out on top.
Get definitions for more than 20,000 IT terms.
Editorial and vendor perspectives
