Microsoft patches Hotmail hole

The security exploit is a JavaScript applet that poses as a Hotmail login dialog box. When the applet is loaded, a box pops up resembling a Hotmail login request. This could fool a user into entering his or her screen name and password, which the perpetrator could then use to access the customer's Hotmail account.

"The vulnerability was that the [bug's programmer] found a way to make a JavaScript to go ahead and launch," said Scott Culp, a product manager with Microsoft's security response team.

JavaScript, a Web scripting language developed by Netscape Communications, executes actions on a Web page without user input. The language is commonly used for launching pop-up windows or for scrolling text, but it recently has become a headache for browser developers and sites such as Hotmail because of its potential usefulness to hackers.

Hotmail does not allow JavaScript applets to launch, because they have proven a potential risk to customer security, according to Culp. In this situation, the bug was designed to circumvent Hotmail's attempts to disable JavaScript applets to launch a phony login window.

Microsoft was alerted to the bug yesterday and fixed it shortly thereafter, Culp said.

The JavaScript applet Hotmail bug is the latest in a string of similar exploits discovered by Bulgarian programmer Georgi Guninski. Microsoft recently had its hands full with similar JavaScript security bugs, including some discovered this fall. In 1998, Microsoft implemented a filter to plug these security holes

Although Microsoft has implemented ways to prevent JavaScript applets from loading, the service is by no means impervious to attacks, according to Guninski.

"I don't want to make a scary demonstration, but it is also possible to read users' messages, to send messages from users' names and [to do] other mischief," Guninski wrote in an email to CNET News.com. "Hotmail deliberately escapes all JavaScript (it can escape) to prevent such attacks, but obviously there are holes."