X

Worm holes found in Hotmail, Yahoo Mail

Microsoft and Yahoo race to eradicate a vulnerability that could lead to a mass-mailing worm that, while not damaging, could clog Internet mail servers.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
See full bio
Robert Lemos
2 min read
Hotmail and Yahoo have left open a security hole that could be exploited to create a self-mailing worm that, while not damaging, could clog Internet mail servers, a security expert said this week.

The vulnerability allows an attacker to create an e-mail containing an HTML link that can act as a worm. If clicked by a user of one of the vulnerable Web-based e-mail services, the HTML code will execute, making it possible to manipulate the person's in-box and send e-mail, said Matt Parcens, the independent software specialist who discovered the flaw.

"The webworm has serious short-term danger, but less of a danger in the long term," he said in an e-mail to CNET News.com. "For the webworm to be active, a hole must exist on the same server that serves the mail. This limits the number of possible holes dramatically."

If properly coded, the HTML link could forward itself to the sender of every e-mail stored in the victim's in-box, Parcens said. The result: a deluge of e-mail.

On Friday, Microsoft confirmed that the security hole existed on its Hotmail Web-based mail service, but that it had plugged the hole by Friday afternoon.

"We sent it over to the Hotmail team," said Steve Lipner, manager for Microsoft's security response center. "They fixed it as of about noon."

see special report: Year of the Worm As of about 5:30 p.m. PDT Friday, Yahoo had not fixed the hole. But a company representative said it would be fixed by the end of the day.

Details about the vulnerability were published to a security information list on Thursday. While Parcens claimed that he contacted both Microsoft and Yahoo on May 23, Microsoft had no idea the hole existed until the advisory went up, Lipner said.

Parcens said he sent the information to several Hotmail addresses, but not to security@microsoft.com, the normal channel for such advisories. "I did notify the company through the best channels I could find on the Hotmail site," he said.

While the hole could lead to clogged servers, much of the danger will be gone by Saturday morning, after both companies have fixed the vulnerability. The fact that a simple server fix can prevent the flaw from being exploited means that this particular security hole will be short-lived.

Typically, when the vulnerability is in a software application, Microsoft has to issue a patch and then hope that people download and install the fix.

"We don't love any of these things," Lipner said. "But the nice thing about a Hotmail server issue is that when we find one we can patch it and that's it."