Hotmail bug fix not a cure-all
The free email firm posts a partial fix for a JavaScript security problem, but the company that found the bug quickly works around the fix.
But the company that brought the problem to light quickly demonstrated a workaround to that fix.
Hotmail yesterday acknowledged that its users were vulnerable to a JavaScript exploit that tricked them into handing over their user names and passwords. This so-called Trojan Horse took advantage of the fact that Hotmail lets users receive JavaScript in email.
The fix Hotmail implemented last night filters out JavaScript from incoming email. But Specialty Installations, the Canadian network solutions provider that yesterday posted a demonstration of the exploit, quickly revised its demonstration to bypass the Hotmail fix.
"We're now serving a different piece of email that does the exact same thing as the previous one," said Specialty Installations programmer Tom Cervenka, who, under the alias Blue Adept, designed the original Hotmail exploit on the company's Because We Can page for nonprofit Web projects. "The net effect is exactly the same."
Hotmail's fix examines incoming email for JavaScript tags, which normally surround JavaScript, and alters those tags to make the script nonfunctional. Cervenka merely placed his JavaScript within HTML image tags, where the Hotmail filter cannot find it.
Cervenka said he and his company posted the work-around as a warning to Hotmail users.
"I didn't want anyone to get the idea that the service is now safe, because it's not safe," he said.
Hotmail said it was not surprised that its fix had been breached, and said the company implemented it knowing it was a partial solution.
"There are ways you can hide the JavaScript, or other malicious code, so this doesn't work as a total fix," said Sean Fee, director of product marketing at Hotmail. "Basically we knew that we had something that we could implement fairly quickly that would make it difficult to send a message with JavaScript in it, but knew it was partial."
Cervenka disputed that Hotmail made it significantly more difficult to send malicious code.
"I figured out my work-around in about ten seconds," he said.
Cervenka said other Web-based email services that filter out JavaScript were at risk for the same kind of workaround. He mentioned Yahoo Mail as one such example, and said it would be a simple matter for him to replicate a demonstration of his exploit for that service.
Yahoo defended its JavaScript filter and said that it worked against JavaScript sent within HTML tags.
WhoWhere, a division of Lycos that powers both MailExcite and its own MailCity service, did not return phone calls seeking comment. Lycos did not return calls regarding its own email service, Lycos Email, which is powered by iName.
USA.net, which powers both its own NetAddress Web-based email service as well as those provided by Netscape Communications and American Express, today said that it had implemented a temporary fix to the problem. But Danny Winokur, vice president of business development for USA.net, said his company had not yet determined whether it was vulnerable to the Specialty Installations workaround.
USA.net yesterday described its fix as an interim solution put in place in advance of a permanent one that would protect users from hostile exploits but still allow them to receive JavaScript.
Hotmail today said its long-term goal was the same.
"Ultimately the goal is to let users have the functionality that scripting makes available to them," Fee said. "That's the long-term solution. Addressing this particular issue is of greater importance at the moment."
Fee also said Hotmail was working on a "more robust and completely audited solution," but he declined to specify a timetable for its implementation.
In the meantime, Hotmail and the exploit's designer are recommending different solutions. Specialty Installations suggests that Hotmail users disable JavaScript in their browsers.
But Fee said users should merely disregard any requests for their user name and password and instead return to the Hotmail start page to log in again. "We don't advocate the solution of turning off JavaScript in the browser," Fee said.
Aside from talking to the press, Hotmail has taken no steps to alert its users to the threat, Fee said. "We're going to address it appropriately," he said, but did not say when.
Cervenka is not the only programmer to post potentially harmful exploits to publicize security risks. Nor is he the first to demonstrate that a Trojan Horse can successfully glean user names and passwords from unsuspecting Netizens.
Earlier this month, a programmer demonstrated a JavaScript exploit that presents the user with a dialog box that mimics a common Windows box that legitimately requests user name and password.
Hotmail's Fee took a dim view of programmers that create these exploits to get across their points about security.
"We would like to be responsive to people who find bugs or other things within our system," Fee said. "We would like to engage people in dialogue and to have interaction with them directly if possible."
Cervenka said he had emailed Hotmail with his concerns several times, but had only received an automated response.
"We have several email addresses on the site, and we will have to investigate separately the comments that he sent in," Fee said. "Generally speaking, those emails will get to their destination so we can see if suggestions can be implemented, and determine the seriousness of them. It looks like the process didn't work in this particular case, but in other instances it has."
Cervenka said he was not surprised he was able to bypass Hotmail's fix.
"I don't expect Hotmail to be able to figure it out in an overnight kind of a way," Cervenka said. "I'd be extremely surprised if Hotmail could create a workaround that I couldn't work around fairly quickly. It's probably going to be a drawn-out problem, not a matter of saying, 'It was just an oversight, now it's fixed.'"
"And it doesn't even have to be JavaScript to create a headache," Cervenka added.