Security company Finjan Software has warned of a
security vulnerability in Microsoft's Hotmail web-based e-mail
service, but Microsoft said that the hole has already been
closed.
The latest security flaw, known as a cross-site scripting
vulnerability, could be used to create an internet worm that steals
e-mail addresses from Hotmail users' accounts, captures credit card
numbers or installs Trojan horse programs, Finjan said.
The vulnerability exists in the way that Hotmail treats e-mail
containing ActiveX controls, which are small, portable pieces of
software code that enable programmers to embed sophisticated user
interface elements into web pages for use over a corporate intranet
or the internet. Hotmail content filters do not adequately block
e-mail messages containing the controls.
In cross-site scripting attacks, malicious hackers embed attack
code in web pages or HTML e-mail messages. Once executed,
cross-site scripting attacks can give attackers access to personal
account or financial information or control over a remote
machine.
As a result of the vulnerability, attackers could run malicious
code on the computer of a Hotmail user who opened an e-mail
containing the malicious ActiveX control.
By embedding a worm engine in the e-mail and code that would
grab the addresses from the Hotmail user's address books, attackers
could use the vulnerability to make a worm, Finjan said.
A Microsoft spokesman said the company was informed of the
problem by Finjan on 8 October and patched the company's Hotmail
systems within 24 hours.
No Hotmail users were affected by the cross-site scripting
vulnerability, he said.
Microsoft has faced frequent criticism for security holes in its
Hotmail and .net Passport single sign-on service, which are used by
millions of people on the internet.
In July, the company issued an emergency patch for the .net
Passport service after security researchers discovered and
publicised a hole in a feature that helps users update their
account password.
Paul Roberts writes for IDG News Service