"Last night we released a robust fix," said Sean Fee, director of product marketing at Hotmail. "It was implemented within 36 hours of our awareness of the issue. It is definitely a testament to the Microsoft employees who work here at Hotmail and their dedication to our users' security needs."
Hotmail implemented a filter that strips incoming email of scripts and potentially hazardous elements. Fee declined to specify what those elements were, but the company that highlighted Hotmail's security woes with an exploit demonstration said they included script tags, scripts hidden within HTML tags, metatags, and java applets, the main tools by which so-called Trojan Horses are deployed. Trojan Horses appear to be benign programs, but they actually contain malicious code.
"Hotmail's fix is good work," said Tom Cervenka, the Web programmer who authored the demonstration for Canadian network solutions provider Specialty Installations. "They did a great job. I can't see a way around it."
After entering that information, the user could resume using the account and would have little reason to suspect that anything unusual had happened. But the name and password would be on their way to the email sender, giving him or her complete control over the victim's account.
The other menace is Java applets, which instead of altering the user interface, as the Specialty Installations demonstration did, produce an entirely new page to fool the user.
Hotmail is not the only free email provider on the Web to face security problems, though with 22 million users, its breaches do put the most people at risk. Of the other free emailers, Cervenka said that the three services powered by USA.net--Netscape's WebMail, American Express' AmExMail, and USA.net's own NetAddress--also filter out the four dangerous elements.