The glitch created the possibility of attacks that could have let Web miscreants steal passwords, access the content of e-mail opened by victims or even spread worms through Web e-mail, said Lee Dagon, director of research and development for Israeli computer security firm GreyMagic Software. GreyMagic discovered the flaw March 6 and released an advisory about it Tuesday.
"Hotmail and Yahoo do everything they can to prevent script from running in an e-mail message," Dagon said, readily filtering the Hypertext Markup Language content that arrives in messages. "We found a way to bypass their filters in order to make script run."
Technically, the vulnerability is part of a class of problems known as cross-site scripting flaws. Such flaws use a problem in a site's security to pass potentially harmful commands to another site or a user's computer.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
Microsoft, which had been working on the problem with GreyMagic since March 11, has already fixed the flaw by filtering the potentially malicious script at Hotmail's servers. "Hotmail customers are fully protected from the vulnerability," a Microsoft representative said.
Yahoo said Tuesday afternoon that it expects to have the flaw fixed "shortly."
Yahoo never got the original alert from the security firm, due to an internal glitch, a company representative said Tuesday, after being told of the advisory by CNET News.com.
"Due to an isolated issue, we became aware of this specific report after it was first reported to us and have taken steps to prevent (such oversights) from occurring in the future," a representative said in an e-mail.
The vulnerability takes advantage of the seldom-usedin Internet Explorer, which allows the browser to add timing and synchronization to Web pages. The flaw itself is not in Internet Explorer, however, or Outlook; it requires a Web service to actually have some interesting content to attack, GreyMagic's Dagon said.
"A script in Outlook would have to rely on a second vulnerability to do any real damage," he said. "However, when a script is running in Web-based services, it has immediate access to the entire mailbox."
Microsoft's Hotmail, due to unknown problems with the software giant's Internet identity service, Passport. In December, that could have left users open to attack.
CNET News.com's Jim Hu contributed to this report.