Security company Finjan Software has warned of a security vulnerability in Microsoft's Hotmail web-based e-mail service, but Microsoft said that the hole has already been closed.
The latest security flaw, known as a cross-site scripting vulnerability, could be used to create an internet worm that steals e-mail addresses from Hotmail users' accounts, captures credit card numbers or installs Trojan horse programs, Finjan said.
The vulnerability exists in the way that Hotmail treats e-mail containing ActiveX controls, which are small, portable pieces of software code that enable programmers to embed sophisticated user interface elements into web pages for use over a corporate intranet or the internet. Hotmail content filters do not adequately block e-mail messages containing the controls.
In cross-site scripting attacks, malicious hackers embed attack code in web pages or HTML e-mail messages. Once executed, cross-site scripting attacks can give attackers access to personal account or financial information or control over a remote machine.
As a result of the vulnerability, attackers could run malicious code on the computer of a Hotmail user who opened an e-mail containing the malicious ActiveX control.
By embedding a worm engine in the e-mail and code that would grab the addresses from the Hotmail user's address books, attackers could use the vulnerability to make a worm, Finjan said.
A Microsoft spokesman said the company was informed of the problem by Finjan on 8 October and patched the company's Hotmail systems within 24 hours.
No Hotmail users were affected by the cross-site scripting vulnerability, he said.
Microsoft has faced frequent criticism for security holes in its Hotmail and .net Passport single sign-on service, which are used by millions of people on the internet.
In July, the company issued an emergency patch for the .net Passport service after security researchers discovered and publicised a hole in a feature that helps users update their account password.
Paul Roberts writes for IDG News Service