An Israeli security company is warning users of Yahoo's e-mail service and Microsoft's Hotmail service of a serious security flaw that could allow remote attackers to run malicious computer scripts on computers using Microsoft Internet Explorer.
The vulnerability was discovered in an Explorer feature used to process extensions to HTML called HTML + TIME. The hole could allow attackers to steal login and password information, or browse the contents of an e-mail account, GreyMagic Software said.
The company tested the vulnerability against Yahoo and Hotmail, but warned it could affect other e-mail services.
Microsoft was informed of the problem on 11 March and has already patched its Hotmail service. However, Yahoo users and other users of web-based e-mail services could be vulnerable to attack.
HTML + TIME, or Timed Interactive Multimedia Extensions for HTML, is a technology standard that makes it easier to deliver multimedia content to web browsers over the internet.
Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. However, GreyMagic said the filtering, combined with support for HTML + TIME, makes it possible to use to inject malicious script into incoming e-mail messages.
The script would be run when the web e-mail message is opened and could be used to exploit the machine on which the web mail was being read. However, the Explorer browser had to be used to check the web mail account for the exploits to work.
GreyMagic says the HTML + TIME vulnerability creates a new avenue for embedding malicious script in e-mail messages and may not be detected by other web e-mail providers.
Paul Roberts writes for IDG News Service