New security glitch for Hotmail

The freemailer is vulnerable to yet another security hole, this one transmitted via email attachments, rather than within the body of the message.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
3 min read
Security-minded programmers are finding holes in Microsoft's Hotmail faster than the free Web-based email service can plug them.

Like the series of security weaknesses that came to light last week, the current one lets programmers introduce a "Trojan horse," or a malicious program that masquerades as a benign one. The programs are designed to fool users into handing over their user names and passwords by presenting them with a bogus "timed-out" page requesting that information.

The previous round of security holes relied on sending code within the body of an email message, and Hotmail and other Webmail services subsequently blocked various kinds of content--including JavaScript, Java applets, and metatags--from incoming messages.

The current bug plaguing Hotmail is transmitted via email attachments, rather than within the body of the message.

Hotmail said it was looking into the situation and would act quickly to resolve it.

"We will act as quickly as we did earlier to rectify any problem that there is," said Hotmail spokesperson Peter Ross.

Hotmail and other Webmail providers have struggled to keep up with the long string of security holes that have come to light in the last week. Many dozens of sites offering free email found themselves vulnerable last week when popular Webmail technology providers, including and iName and WhoWhere, which have more than 40 licensees apiece, acknowledged that they were vulnerable.

iName said today it was not vulnerable to the present attachment bug because it already strips out the tags required to spoof the "timed-out" page.

Peter Hamlen, vice president of software development at iName, acknowledged that an embedded hyperlink still could lure iName users to a spoofed page. But he said users would likely be tipped off that something was amiss because that link would open a separate window. He also said iName was considering adding a warning whenever users left iName servers.

WhoWhere also said it was invulnerable to the present bug.

The firm credited with bringing these security problems to the Webmailers' attention is a Canadian networking solutions provider, Specialty Installations. The company's not-for-profit programming group Because-We-Can.com first posted a demonstration of a password-stealing JavaScript exploit, and then a similar Java applet exploit along with a ranking of some leading Webmail sites and what kinds of hazardous content each of them screened.

Webmailers including Hotmail, Yahoo Mail, WhoWhere, and iName quickly moved to plug those holes.

Today, Specialty Installations posted a demonstration of its latest Trojan horse, dubbed "Attackments."

With its week-long string of exploit demonstrations, Specialty Installations has become a pest--albeit a useful one--to Hotmail and the other Webmailers. The demonstrations also have brought the company somewhat far afield from its primary business of reselling and installing Intel-based network computing solutions.

"People are now looking to us to ask whether a service is secure or not," said Specialty Installations Web programmer Tom Cervenka, who last week endorsed Hotmail's security fixes. "And if we said that it was, and subsequently find that it isn't, now we consider it our duty to say so."

Cervenka said the ideal solution for Hotmail's latest bug will not prevent users from sending or receiving attachments, but instead will either handle them in a more secure way or warn users that by opening an attachment they may be putting themselves at risk.

"You can't expect users to know that clicking on an HTML attachment is a security risk," Cervenka said. "Two weeks ago I didn't even know that."

Cervenka's current demonstration, which he created with Because-We-Can programmer Cody Kostiuk, uses Macromedia's Shockwave plug-in to create the bogus Hotmail interface. But Cervenka cautioned that Shockwave was only one among many tools a malicious programmer could use to create a Trojan horse that sneaks through by attachment.

None of the Web-based emailers have reported any actual incidents of password stealing so far.

For people to actually use the programs, they would have to obtain addresses of people who belong to the emailing networks.