-Caveat Lector- from http://www.zdnet.com New Hotmail hole discovered Javascript can be used to jimmy open Hotmail accounts, bugfinder says. 'This is not a security issue,' Microsoft says. By Steven J. Vaughan-Nichols, Sm@rt Reseller September 13, 1999 3:50 PM PT Just what the world didn't need: Another way to crack open Microsoft's beleaguered free, Web-based e-mail system, Hotmail. But, that's exactly what noted Bulgarian bugfinder Georgi Guninski claims to have found. Guninski, who has made a name for himself by finding security violations in browsers, has found that Hotmail enables Web-paged embedded Javascript code to run automatically This makes it possible for someone to write Web programs that could do anything from steal passwords to read others' mail. While it's long been known that active Web applets, whether written in ActiveX or Java, have the potential to pry open systems from the inside, this is the first case in which someone has shown that Hotmail is vulnerable to such attacks. Not just a theoretical hole: Is this a purely theoretical hole or one that can only be used by crackers to attack users? The answer, unfortunately, is the latter: Correctly written JavaScript programs can, at the least, raid users' inboxes. Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem. "This is not a Hotmail security issue. We see it as an example of people encouraging users to run malicious code on the Web," a Microsoft spokesperson said. "To protect yourself now, you can disable JavaScript, just disable it before using Hotmail, or do not open mail from unknown people when you think it might contain JavaScript," the spokesperson added. "Microsoft is investigating ways for Hotmail users to have greater security against threats posed by malicious use of JavaScript in e-mail." The latest Hotmail hole opens up because Hotmail doesn't handle the new HTML tag "STYLE." Java programmers and Webweavers use STYLE to insert JavaScript into HTML pages. The solution is to force Hotmail to handle STYLE in the same way it does ordinary JavaScript -- disabling it on arrival. Timing couldn't be worse: The fix may be simple, but the timing for Microsoft could not be worse. The latest Hotmail security breach follows by weeks a major Hotmail security meltdown. It took Microsoft hours to fix the problem, but millions of user accounts were left unprotected in the interim. Since that initial breach, the company has brought in TrustE and another auditing firm to help it head off future Hotmail security breaches. |||||||||||||||||||||||||||||||||||||||||||||||||||||||||| In accordance with Title 17 U.S.C. section 107, this material is distributed without charge or profit to those who have expressed a prior interest in receiving this type of information for non-profit research and educational purposes only. |||||||||||||||||||||||||||||||||||||||||||||||||||||||||| http://www.angelfire.com/mi/smilinks/thirdeye.html |||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com DECLARATION & DISCLAIMER ========== CTRL is a discussion and informational exchange list. Proselyzting propagandic screeds are not allowed. Substance�not soapboxing! These are sordid matters and 'conspiracy theory', with its many half-truths, misdirections and outright frauds is used politically by different groups with major and minor effects spread throughout the spectrum of time and thought. That being said, CTRL gives no endorsement to the validity of posts, and always suggests to readers; be wary of what you read. CTRL gives no credeence to Holocaust denial and nazi's need not apply. Let us please be civil and as always, Caveat Lector. ======================================================================== Archives Available at: http://home.ease.lsoft.com/archives/CTRL.html http:[EMAIL PROTECTED]/ ======================================================================== To subscribe to Conspiracy Theory Research List[CTRL] send email: SUBSCRIBE CTRL [to:] [EMAIL PROTECTED] To UNsubscribe to Conspiracy Theory Research List[CTRL] send email: SIGNOFF CTRL [to:] [EMAIL PROTECTED] Om
