Yahoo patches e-mail hole

Yahoo has patched a hole in its web e-mail service that could have allowed malicious hackers to run malicious computer scripts on...

Yahoo has patched a hole in its web e-mail service which enables hackers to run malicious computer scripts on computers which use Microsoft's Internet Explorer web browser to check web e-mail accounts.

The company applied a fix for the vulnerability shortly after security company GreyMagic Software published an advisory warning about the problem, which also affected Microsoft's Hotmail e-mail service.

Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code.

However, the filtering, combined with an internet Explorer feature used to process extensions to HTML called HTML + Time (Timed Interactive Multimedia Extensions), made it possible to inject malicious script into incoming e-mail messages.

The script would be run when the web e-mail message was opened and could be used to exploit the machine on which the web mail was being read. The security hole could allow attackers to steal login and password information, or browse the contents of an e-mail account when Explorer was used to check the web mail account for the exploits to work.

"We learned of a cross-site scripting issue in Yahoo Mail, and immediately began working towards a resolution which was implemented yesterday," said Mary Osako, senior director of communications at Yahoo.

Microsoft was informed on 11 March and patched its Hotmail service before the vulnerability was disclosed. However, security researchers at GreyMagic were unable to reach Yahoo.

Yahoo did know of any users who were affected by the vulnerability.

Paul Roberts writes for IDG News Service

Read more on IT risk management