Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Yahoo and Hotmail e-mail accounts at risk by severe security vulnerability

by Marianna Schmudlach Mar 23, 2004 12:16AM PST

Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo

Flaws in the filtering technology used by Web-based email services make it possible for hackers to smuggle viruses past defences. Israeli security outfit GreyMagic Software warned today that this "severe security" vulnerability could allow attackers to run code of their choice, "simply by sending an email to an unsuspecting Hotmail or Yahoo! user". When the victim attempts to read this email, the code executes to potentially dire consequence (e.g. theft of the user's login and password, seizure of machines etc.). The problem stems from a Cross-Site Scripting vulnerability involving IE. To blame is a new way to embed script involving an IE technology called HTML+TIME (based on SMIL), which is meant to add timing and media synchronization support to HTML pages.

http://www.securitynewsportal.com/index.shtml

Discussion is locked

3 Posts
- Collapse + Expand Details
- Collapse -
Dumb question
by LarryD Mar 23, 2004 12:39AM PST

Would another browser (specifically Firefox or Mozilla) not be subject to this vulnerability?

- Collapse -
Answered my own question (I really should read the articles to the end before asking my dumb questions)
by LarryD Mar 23, 2004 12:44AM PST

Users of these services may want to use a browser other than IE as a workaround, at least until a fix is in place....

- Collapse -
Also.....
by Marianna Schmudlach Mar 23, 2004 1:27AM PST

Affected applications:

Affected applications: Hotmail web-based email service (when used with IE).
Yahoo web-based email service (when used with IE).

Note that many other web-based services may be vulnerable to this method of exploitation, as it is a completely new way to embed script.

Back to Spyware, Viruses, & Security forum

CNET Forums

Operating Systems
Software
Electronics & Gadgets
Hardware
Tablets & Mobile Devices
General Help
Brand Forums
Roadshow Autos
Off Topic

Other Forums

Forum Info