Hotmail vulnerable to character replacement hole (jAvascript:) ---------------------------------------------------------------------------- ---- SUMMARY Security holes in Hotmail are dangerous because of two important reasons. First, Hotmail is used by a huge number of inexperienced Internet users (who do not wish to pay for 'regular' e-mail accounts). Those users are mostly security unaware, and security holes in Hotmail are likely to make them vulnerable to attack. The second reason Hotmail attacks are dangerous, is the fact that it's extremely easy to conduct such an attack. Unlike a 'malicious web site' attack, the attacker can initiate the attack (simply by sending an e-mail message). It is easy to verify if the victim is vulnerable (an e-mail of the form [EMAIL PROTECTED] is certainly a hotmail user) and, again - unlike a normal HTML attack, the attacker can be totally anonymous (since there it is fairly trivial to hide the origin of an e-mail message). This newly discovered Hotmail security hole is very similar to the previous holes (see the 'additional information' section of this advisory), and although Microsoft is rather quick in closing the security holes shortly after they're discovered, the fact that most of those holes are variation of the same problem shows that reading mail in Hotmail using a JavaScript-enabled browser is a real security risk. This new hole bypasses Hotmail's JavaScript filtering mechanism by writing the hexadecimal value of the JavaScript tag instead of writing the actual tag (the code looks like this: <IMG SRC="jAvascript:alert('Javascript is executed')">). This code, when viewed in Internet Explorer, allows the attacker to read the victim's e-mail, and possibly perform other actions on the victim's mailbox. DETAILS Some time ago Hotmail fixed the "javasCript" bug, but now a similar issue arises using hexadecimal codes. A security flaw in Hotmail allows injecting and executing JavaScript code in an email message. This exploit works on Internet Explorer if Active Code execution is enabled. Hotmail filters the "javascript:" protocol for security reasons, but it does not filter the code: "jAvascript" where "A" is the hexadecimal ASCII code of "A". So the following HTML is executed <IMG SRC="jAvascript:alert('Javascript is executed')"> if the user has enabled automatically loading of images (most users have). This is similar to other Hotmail vulnerabilities, and they all have the same affect. Workaround: Disable Active Scripting Exploit code: <IMG SRC="jAvascript:alert('Javascript is executed')"> ADDITIONAL INFORMATION Similar Hotmail vulnerabilities: <http://www.securiteam.com/exploits/Yet_another_Hotmail_security_hole_-_inje cting_JavaScript_in_IE_using___import_url_javascript______.html'> Yet another Hotmail security hole - injecting JavaScript in IE using '@import url(javascript:...)' <http://www.securiteam.com/securitynews/A_major_security_flaw_in_Hotmail_all ows_execution_of_JavaScript_code.html> A major security flaw in Hotmail allows execution of JavaScript code <http://www.securiteam.com/securitynews/HotMail__cookies__security_vulnerabi lity.html> HotMail 'cookies' security vulnerability <http://www.securiteam.com/securitynews/Hotmail_vulnerability_leaves_users_t otally_exposed.html> Hotmail vulnerability leaves users totally exposed <http://www.securiteam.com/securitynews/New_security_vulnerability_in_Hotmai l__injection_of_JavaScript_to_LOWSRC_.html> New security vulnerability in Hotmail (injection of JavaScript to LOWSRC) The information was provided by: <mailto:[EMAIL PROTECTED]> Georgi Guninski. ------- AFLHI 058009990407128029/089802---(102598//991024) http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX :: http://techscape.net/ - Webhosting: Dual T3 on Dual Pentium III 450Mhz Only US$1.95/month -> CGI SSL 5MB Unlimited Traffic & Mail FP2000 ------------------------------------------------------------------- untuk berhenti kirim email ke [EMAIL PROTECTED] untuk melihat peraturan kirim email ke [EMAIL PROTECTED] arsip berada di http://www.mail-archive.com/milis@hackerlink.or.id