Security company warns of Hotmail worm

Security company Finjan Software has warned of a security vulnerability in Microsoft's Hotmail web-based e-mail service, but...

Security company Finjan Software has warned of a security vulnerability in Microsoft's Hotmail web-based e-mail service, but Microsoft said that the hole has already been closed.

The latest security flaw, known as a cross-site scripting vulnerability, could be used to create an internet worm that steals e-mail addresses from Hotmail users' accounts, captures credit card numbers or installs Trojan horse programs, Finjan said.

The vulnerability exists in the way that Hotmail treats e-mail containing ActiveX controls, which are small, portable pieces of software code that enable programmers to embed sophisticated user interface elements into web pages for use over a corporate intranet or the internet. Hotmail content filters do not adequately block e-mail messages containing the controls.

In cross-site scripting attacks, malicious hackers embed attack code in web pages or HTML e-mail messages. Once executed, cross-site scripting attacks can give attackers access to personal account or financial information or  control over a remote machine.

As a result of the vulnerability, attackers could run malicious code on the computer of a Hotmail user who opened an e-mail containing the malicious ActiveX control.

By embedding a worm engine in the e-mail and code that would grab the addresses from the Hotmail user's address books, attackers could use the vulnerability to make a worm, Finjan said.

A Microsoft spokesman said the company was informed of the problem by Finjan on 8 October and patched the company's Hotmail systems within 24 hours.

No Hotmail users were affected by the cross-site scripting vulnerability, he said.

Microsoft has faced frequent criticism for security holes in its Hotmail and .net Passport single sign-on service, which are used by millions of people on the internet.

In July, the company issued an emergency patch for the .net Passport service after security researchers discovered and publicised a hole in a feature that helps users update their account password.

Paul Roberts writes for IDG News Service



Enjoy the benefits of CW+ membership, learn more and join.

Read more on IT risk management



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: