But the company that brought the problem to light quickly demonstrated a workaround to that fix.
"We're now serving a different piece of email that does the exact same thing as the previous one," said Specialty Installations programmer Tom Cervenka, who, under the alias Blue Adept, designed the original Hotmail exploit on the company's Because We Can page for nonprofit Web projects. "The net effect is exactly the same."
Cervenka said he and his company posted the work-around as a warning to Hotmail users.
"I didn't want anyone to get the idea that the service is now safe, because it's not safe," he said.
Hotmail said it was not surprised that its fix had been breached, and said the company implemented it knowing it was a partial solution.
Cervenka disputed that Hotmail made it significantly more difficult to send malicious code.
"I figured out my work-around in about ten seconds," he said.
WhoWhere, a division of Lycos that powers both MailExcite and its own MailCity service, did not return phone calls seeking comment. Lycos did not return calls regarding its own email service, Lycos Email, which is powered by iName.
USA.net, which powers both its own NetAddress Web-based email service as well as those provided by Netscape Communications and American Express, today said that it had implemented a temporary fix to the problem. But Danny Winokur, vice president of business development for USA.net, said his company had not yet determined whether it was vulnerable to the Specialty Installations workaround.
Hotmail today said its long-term goal was the same.
"Ultimately the goal is to let users have the functionality that scripting makes available to them," Fee said. "That's the long-term solution. Addressing this particular issue is of greater importance at the moment."
Fee also said Hotmail was working on a "more robust and completely audited solution," but he declined to specify a timetable for its implementation.
Aside from talking to the press, Hotmail has taken no steps to alert its users to the threat, Fee said. "We're going to address it appropriately," he said, but did not say when.
Cervenka is not the only programmer to post potentially harmful exploits to publicize security risks. Nor is he the first to demonstrate that a Trojan Horse can successfully glean user names and passwords from unsuspecting Netizens.
Hotmail's Fee took a dim view of programmers that create these exploits to get across their points about security.
"We would like to be responsive to people who find bugs or other things within our system," Fee said. "We would like to engage people in dialogue and to have interaction with them directly if possible."
Cervenka said he had emailed Hotmail with his concerns several times, but had only received an automated response.
"We have several email addresses on the site, and we will have to investigate separately the comments that he sent in," Fee said. "Generally speaking, those emails will get to their destination so we can see if suggestions can be implemented, and determine the seriousness of them. It looks like the process didn't work in this particular case, but in other instances it has."
Cervenka said he was not surprised he was able to bypass Hotmail's fix.
"I don't expect Hotmail to be able to figure it out in an overnight kind of a way," Cervenka said. "I'd be extremely surprised if Hotmail could create a workaround that I couldn't work around fairly quickly. It's probably going to be a drawn-out problem, not a matter of saying, 'It was just an oversight, now it's fixed.'"