Hotmail plugs security hole

Microsoft's Hotmail today claimed victory over the security holes that have put the free email firm on the hot seat this week.

"Last night we released a robust fix," said Sean Fee, director of product marketing at Hotmail. "It was implemented within 36 hours of our awareness of the issue. It is definitely a testament to the Microsoft employees who work here at Hotmail and their dedication to our users' security needs."

Hotmail implemented a filter that strips incoming email of scripts and potentially hazardous elements. Fee declined to specify what those elements were, but the company that highlighted Hotmail's security woes with an exploit demonstration said they included script tags, scripts hidden within HTML tags, metatags, and java applets, the main tools by which so-called Trojan Horses are deployed. Trojan Horses appear to be benign programs, but they actually contain malicious code.

"Hotmail's fix is good work," said Tom Cervenka, the Web programmer who authored the demonstration for Canadian network solutions provider Specialty Installations. "They did a great job. I can't see a way around it."

Specialty Installations raised the issue of Hotmail's security by demonstrating how a Trojan Horse using JavaScript could trick Hotmail users into handing over their user names and passwords. In the exploit, the Hotmail user would receive an email message that, once opened, ran JavaScript to alter all the links of the Hotmail user interface. Whatever link the user subsequently chose, the resulting screen would mimic a Hotmail "timed-out" page requesting the user's name and password.

After entering that information, the user could resume using the account and would have little reason to suspect that anything unusual had happened. But the name and password would be on their way to the email sender, giving him or her complete control over the victim's account.

Hotmail quickly implemented a partial fix that filtered out JavaScript tags, but programmers easily bypassed it by hiding JavaScript inside HTML tags.

Now Hotmail is filtering JavaScript tags, hidden JavaScripts, and two other security menaces. One is metatags, which can be used to whisk the user off to another page after a predetermined amount of time. That second page could conceivably be a spoofed Hotmail "timed-out" page requesting the user's name and password.

The other menace is Java applets, which instead of altering the user interface, as the Specialty Installations demonstration did, produce an entirely new page to fool the user.

JavaScript is a scripting language for the Web developed by Netscape Communications. Java is a full-fledged programming language developed by Sun Microsystems. The two languages are unrelated.

Hotmail is not the only free email provider on the Web to face security problems, though with 22 million users, its breaches do put the most people at risk. Of the other free emailers, Cervenka said that the three services powered by USA.net--Netscape's WebMail, American Express' AmExMail, and USA.net's own NetAddress--also filter out the four dangerous elements.