Another Hole in Hotmail 219
Ancipital noted that a new hotmail hole has sprung up. This one is, like the ILUVYOU bug, a VBS macro attachment that must be executed by people with very (ok, who does this, huh? I mean, viewing a gif or clicking a URL, but running a strange program? The mind boggles).
Re:You'd be surprised. (Score:1)
Re:Wow (Score:1)
Re:Gimme mod points, quicky! (Score:1)
When you look at pop culture, and other countries leaders, it's obvious that most people are that stupid. I'm surprised the result wasn't higher.
--
Re:GUI designers take note (Score:1)
On a very similar idea you could also have a form where there was the explanation, in which was said at the end to type "yes" or "no" into a text box and click okay. Perhaps something short but unique could be used for each different box. I think "virus threat accepted" is a little long, users might make a typo and not figure it out.
E.G.
You are about to format your disk. Formating your disk will erase all the information on it. Type "format" into the text box and click okay to format. Type "no" or click cancel to stop this operation. Remember, this formatting the disk will erase all information on it.
---------------
|                            |
---------------
    [okay]     [no]
Re:Gimme mod points, quicky! (Score:1)
Re:Wow (Score:1)
For the online signup stuff, I have a pseudonym that has an e-mail alias on my own domain name that sends incoming mail to /dev/null
Very convenient - I never even see the spam.
Re:GUI designers take note (Score:1)
Re:You'd be surprised. (Score:2)
Re:You'd be surprised. (Score:2)
Slashdot poll suggestion:
In order to continue reading the pr0n trolls on Slashdot, you must pour a bowl of hot grits into your hard drive right now, and click OK. Do you wish to continue?
(Glossary: "hard drive" is usually used to denote the secondary storage device on your computer...)
Re:Password in the cookie? No-one's *that* dumb :) (Score:1)
I wonder what hotmail does if you check the "remember my password" option..
It probably just sends you the same cookie but with an expires field, so the browser will store the cookie on the hard drive. If the cookie doesn't have an expires field, then it's kept only memory. If you need to login as a new user, restart the browser.
Of course, if one is going to do something like this over the Internet, it should be encrypted. BTW, slashdot isn't the only one. Linuxtoday.com uses plaintext cookies for authentication also.
message from hotmail (Score:2)
Message to Hotmail Members
We apologize, but your account is temporarily unavailable. This delay does not affect the entire site or relate specifically to your account, but the machine that holds your account information is temporarily unavailable. We do not expect this delay to last much longer, so please continue to check our site for your account status.
We will do our best to make your account available as quickly as possible. We appreciate your support, and sincerely apologize for the inconvenience.
© 2000 Microsoft Corporation. All rights reserved. Terms of Service Privacy Statement
Password in the cookie? No-one's *that* dumb :) (Score:2)
Would they?
#!/usr/bin/perl -w
open COOKIE, $ENV{HOME} . "/.netscape/cookies" or die;
while (<COOKIE>) {
if (/slashdot/) {
chomp;
my @args = split;
my $cookie = pop @args;
$cookie =~ s/\%25//g;
print pack("H*", $cookie), "\n";
}
}
--
wingate (Score:1)
I once read that Wingate was full of holes. You might want to look into that.
Re:The intelligence of a typical computer user (Score:1)
Re:GUI designers take note (Score:1)
...and you're right, I run Gnome on my PC at home, and the only dialog box message that I get regularly (that I ignore) is the one that tells me I'm running the Gnome File Manager as root and that I could damage my system if I'm not careful.
Is it only a Hotmail hole? (Score:1)
Using an HTML file to execute malicious javascript seems pretty straightforward. Are any of the other web-based email services (Yahoo, Eudoramail, Mac.com, etc) vulnerable to similar attacks?
Re:Gimme mod points, quicky! (Score:1)
Re:A Brief Explanation for the lazy (Score:2)
On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.
Hotmail stores your user information in a session cookie, not a persistent (disk) cookie. If you close all your browser windows and access hotmail again, you are required to enter your password again... unlike Slashdot I might note.
I know the session cookie has an expiration period, but I don't remember what it is. Probably something like 20 minutes.
-konstant
Yes! We are all individuals! I'm not!
Re:JavaScript, not VBS... (Score:1)
HTML and RTF allow us to format email far more effectively than plain text ever will. Shouldn't we just make them more secure?
You use RTF for email? HTML -- if stripped down to the most basic tags -- I can understand, but why RTF?
Hotmail did. (Score:5)
This is not, the JavaScript exploit in existence! Microsoft should, otherwise the users. The mind boggles.
But then again, I rarely. So who. Well!
Re:Wow (Score:1)
---
Zardoz has spoken!
Re:You'd be surprised. (Score:2)
Right?
difference between data and executable (Score:1)
Not everyone knows the difference. They see the attachment and click. After the last one, I sent an explanation of how to figure out what kind of file the attachment is (by looking at the extension) and why it's important to know before you click on it.
Since I support a hundred-plus windows users, I'm not really surprised that people don't know this. I'm sort of irritated, though, that if I don't tell them stuff like this, they aren't going to learn it anywhere else. The programs don't have little warning screens about it, and no one will ever RTFM, so they're stuck. Good thing we don't use Outlook here, eh? We still got last week's virus, but only two people lost
-jpowers
One word: ActiveX (Score:1)
It seems to me that it would be fairly trivial to embed an ActiveX component in an HTML email, to mess with people who read their mail with ActiveX-enabled software (Hotmail via MSIE, Outlook, etc.). Since ActiveX is just plain-vanilla binary executables with the most minimal security imaginable, it could do all sorts of unpleasant things when viewed. It could, for example: propagate itself (by interfacing with Outlook), embed itself into every HTML file on the user's hard drive, embed itself into all outgoing HTML mail (in which case it could become nearly uncatchable), send all sorts of info over the net, install backdoors, etc. I'm surprised it hasn't been done already.
---
Zardoz has spoken!
Poor users that would clik this. (Score:1)
Re:Hotmail did. (Score:1)
--
Re:Listen, folks (Score:1)
point in case, my lack of capitals and most punctuation, i hope it gives you nightmares.
-Malachai
-Sometimes i want to masturbate but then i feel that i dont deserve myself.
Re:The intelligence of a typical computer user (Score:1)
They also said that there were no Antivirus tools available that could detect VBS.LoveLetter which was just plain wrong, as I had downloaded updates for InnocuLAN, McAfee, Norton AV and AVP about 2 hours before their report.
Re:Hooray for Javascript (Score:1)
Hmm - a tip. When looking for karma, try getting your facts right. As anyone who reads
Re:you missed the point (Score:3)
Yes, but the point was that users *might* think that formatting the HD is a good thing. Sometimes it is, when you detect Windows on it, to install OS blablabla
Thimo
--
Another point... (Score:1)
Re:question about the above statement (Score:1)
Re:Formatting the same as erasing? (Score:1)
The name "accelerator" is a bit confusing because it implies that it will cause your car to accelerate. More often than not, it's used to keep your car at a constant speed, and oftentimes it will be used to slow the car down. Most people wisely don't call it an "accelerator".
Rather, most people call it a "gas pedal" and likewise use phrases like "giving it some gas" and "laying off the gas". This to me shows that they have a very good understanding of what the pedal does: it allows more gasoline into the fuel mixture. Also, it would seem that most people will not expect the gas pedal to cause any sort of positive acceleration when going up a steep hill (for example), so I'd say your assumption that most people just expect it to speed up the car is false. Also, your assumption that it doesn't matter would also seem to be false, otherwise extreme confusion would ensue when people would drive in hilly or mountainous parts.
This may seem off-topic, but it's not. Would it be too much to ask to give the populous at large the benefit of the doubt? Most people know what's going on with most things, and they don't need it to be overly dumbed down. The worst case of this is retarded software companies who make programs that mimic real-life devices in order to presumably make it "easier to use" (examples are CD players which look like real CD players, chat programs which look like telephones, e-mail programs which make analogies to snail mail protocols). Oftentimes, the program will be come out extremely crippled, and pretty much inferior in every way to its competitors. Also, it come out being a little bit condescending, which I'm sure can't help its sales. People know that an increase in gas in the fuel mixture in their car causes an increase in power because they've experienced it, not because there's a sticker that says "speed" or any such nonsense pasted on to it.
Re:Is it only a Hotmail hole? (Score:2)
Re:Password in the cookie? No-one's *that* dumb :) (Score:1)
Proxies of course make it look like everyone has the same ip, but this uses SSL which normally doesn't get proxied.
Re:A Brief Explanation for the lazy (Score:1)
Re:A Brief Explanation for the lazy (Score:1)
The problem would be that it wouldn't take long for the site to get shuttered and the manhunt would be on. Perhaps.
Re:GUI designers take note (Score:1)
Unfortunately, software requires you to make decisions, and dumbly clicking on "OK" all the time is seen just as a quick way to make the problem go away. Unfortunately, it's not the case. Ideally, the user interface of an application should be engineered and designed to stay flexible intuitive, easy to learn while popping up the minimum number of questions. These goals cannot be accomplished all the times for every situation. In such cases, where the full attention of the user is needed, I'd suggest to force him to use a different input device in order to proceed than the one he usually uses. Today it would mean that you'd have to require confirmation via keyboard (perhaps requiring to type an extensive `yes' instead of a simple `y' (or whatever). I know this may be source of troubles, but I don't see alternatives if questions can't be avoided.
Sorry, it's gone. (Score:2)
I was pretty sure it would spread to millions of computers, and I'd get a bonus. Instead I got a pat on the back from the guy in the next cubicle (who didn't install the software either), and the company refused to hire me as a regular employee when my co-op term ended (despite demonstrated ability as one of their best programmers, and their desperate need for a rewrite of an in-house package I was intimately familiar with, I was "unqualified" without a degree). Very disappointing.
Just another reason not to use Hotmail (Score:1)
Re:GUI designers take note (Score:1)
Anyway.. I digress.
--
Re:A Brief Explanation for the lazy (Score:1)
What they are really suggesting is that Microsoft should bundle anti-virus software with Windows and Outlook. Seems to me that the bundling issue got you guys into a bunch of trouble already.
You can't have it both ways folks. If you are going to split Microsoft in two for bundling software, you can't demand that they bundle more software to protect from virii.
Ugh. Expecting anything but bigoted bullshit about Microsoft from /. is asking too much, it seems.
Re:A Brief Explanation for the lazy (Score:2)
it's not a vbs file. it's an embeded javascript. there is no virus check run because it's not a virus and there isn't an anti-virus that checks for potentially malignant javascript. Hell, the creator only had to identify the cookie, the username, and the server the cookie was being held on, and automatically send all of this info to another account (which could have been a hotmail account)
Not everyone had to actually open the attachment.
Re:Just another reason not to use Hotmail (Score:1)
Idiots who run shit (Score:1)
ID10T's....all of 'em.
Yahoo mail (Score:1)
I tried this thing on my Yahoo mail account and it changed the <script> tag to <cursive>
Kudos to Hotmail!!! (Score:1)
OK, so bashing hotmail.com in /. is pretty easy, but there is one single aspect that I think makes hotmail the best free web-based e-mail service: they do close spam generating accounts or drop-in box accounts. You guys in this thread seem not to pay much attention to this.
I used to receive about 5 spam messages a day and never have I sent a complaint with a full header to abuse@hotmail.com I got spam from the same address again. I can't say the same about any other web-mail.
How stupid are people (Score:1)
Lowest common denominator (Score:1)
question about the above statement (Score:2)
With very what?! Egads.
Linux Band Bratwurst Orange [mp3.com]
Beos Band XIR: Xir is recursive [mp3.com]
Re:File extensions (Score:1)
Not exactly the same, is it ?
it's not a microsoft bug per se... (Score:3)
Seth
Re:You'd be surprised. (Score:2)
I was nothing short of amazed at how many people clicked OK. It must have been at least a third, if not half.
Re:Lowest common denominator (Score:2)
You punk kid virus writers are becoming lazy no-goodniks who just want to live off the government dole! Back when I was a kid, we had to walk 7 miles through unsorted punchcards if we wanted to write a virus; and we didn't have no fancy-schmancy new-fangled "scripting languages", neither, nosirree, we had to imprint the binary on cardboard boxes, which in turn we'd mamble famble until they'd turn into finely crafted executables, yes sirree.
Read more abt it (Score:2)
From the ZDNet article:
Bennett Haselton, Webmaster for Peacefire.org, said the flaw involves sending a user an e-mail with an HTML attachment. When the user clicks on the attachment, the file sends a copy of the user?s cookie to the hacker.
Once that cookie is received, the hacker can insert it manually into the Netscape cookies.txt file and use that authentication key to log in to Hotmail as the user. Click here [peacefire.org] for a description of the trick.
<snip>
Not a 'trivial bug'
Since the cookie does not contain the user's password, the hacker can only access the account when the user is logged on and as long as the authentication code is valid. But Haselton said that five minutes would be long enough for a hacker with a prepared script to download all of a user's e-mail messages.
Best I could see, theres no email floating around doing this - its just an idea at this point. And for it to propagate(sp?) like luvbug or melissa, it'd need a script to use the hotmail address book. As it sits right now, it'd just come from one guy who knew lots of hotmail addresses. Someone correct me if I'm wrong on this, tho :)
-----
If Bill Gates had a nickel for every time Windows crashed...
Re:The intelligence of a typical computer user (Score:2)
1.) If you get an e-mail that your not expecting (hmmm all of them!) call the person and ask them if they sent you mail.
Why don't you just drive over to their house and ask them.... DUH!
2.) Make sure you virus software is up to date.
Hello! This didn't work and wouldn't work because this was a NEW virus. They had a virus defintion only hours after the bug hit! What good would it have done!
Re:You'd be surprised. (Score:2)
Any takers?
numb
Re:Listen, folks (Score:2)
Do NOT hit yourself in the head with this hammer. (Score:2)
That way I have something to point to when someone asks me if it's OK to open email attachments. Doesn't work too well over the phone, but I'm sure I could make use of a suitable GIF on the web server..
Security Hole Discovered At Slashdot! (Score:3)
1) Find a story about technology (if your name is "Katz" this step is unneeded)
2) Skim the headline of said story to "get the gist".
3) Submit story to Slashdot, paying special attention to making it seem like this story is related to some hot topic.
For instance, if the story is about a misconfigured website allowing a security breach, make it seem like the story is related to a recent email worm by working "email" and "Visual Basic Scripting" in there somehow.
What's the effect of this exploit: In all the excitement of having another Microsoft bashing story will hurriedly type your submission onto the front page with plenty of spelling errors and word omissions.
--
Have Exchange users? Want to run Linux? Can't afford OpenMail?
A Brief Explanation for the lazy (Score:5)
If you then view the attachment through Hotmail, Javascript in that attachment can then pretend to me from the Hotmail domain, and therefore access any cookies that Hotmail has set up. It can then submit these values to a form on another, hostile, server.
These cookies then allow access to the site from a user pretending to be you, allowing them to read and delete your emails or send email from your account.
It's not clear form the article, but presumably the relevant cookie is the one holding the user's session key. In a typical implementation this key will be useless after 30mins or so, but the length of the timeout is really whatever Microsoft chooses it to be.
Try logging on to Hotmail, not touching anything for 30 mins and then clicking on 'read mail'. If they have the server set up sensibly, you'll have to enter your user name and password again.
On the other hand, if Microsoft have done something really really dumb, like including the password in a cookie, then there's really no hoe for them.
-Ciaran
I can't resist...someone has to say it. (Score:4)
Ah. I feel MUCH better now! Now I have to go delete some email before I lose my cookies! <grin>
Re: (Score:2)
Formatting the same as erasing? (Score:5)
To you and me, formatting means erasing. But that's only true in techno-speak. In every other context, the word "format" does not imply erasing - not at all! And since very few people actually format their hard drives (and hence, have no experience with the process), how can you expect them to know what that word means?
When you "format" something, you arrange it. You put it into some kind of order. To most people, that's a good thing! The moron who decided that "format" is a synonym for "erase" should be shot.
If your application had asked the user to "erase all files on your hard drive", I think very few people would have said yes.
Social Engineering is easier (Score:5)
I wonder how many people fell into that trap, thinking they were gonna get into someone else's account.
Not so fast.... (Score:2)
After our beloved NTServer was 'Loved', the people with this setting only noticed the jpg icons had changed and kept infecting away. I changed this setting on all infected users to help remind them what file type it actually is.
Re:The intelligence of a typical computer user (Score:3)
I saw something funny on CNBC during the ILOVEYOU worm outbreak. They were advising people not to save attachments to disk, as that could lead to infection, but to just execute the attachment. Not only was the mainstream media not educating people, they were actively making it worse.
Re:Wow (Score:2)
I still have my hotmail account, I use it as my "spam bucket". You know those free website that offer free accounts (like the new york times), but you have to give them you email address? Also when registor with search engines, sign up FREE to win crap out there, just use a hotmail account and see how long it takes to fill completly full with spam (it took mine 3 days!)...
A neat treat though, just put a filter in to filter out anything with 'A' in the subject, they allow like 5-10 filters, so delete everything that has a vowel in the subject line!
Re:Wow (Score:2)
Everytime I sign up for anything on the internet, anytime a webpage asks me for email, any time I have to put in an email address to 'register' a program, or any convention I sign up for, I put in my hotmail address... They then usually ask me a bunch of personal questions. I'm always 25-35 male, I make $100,000+/year and am single. And when you see all those little boxes where you check off your interests? Well, I check them all. Then I check (or uncheck) those boxes that ask me if I want their monthly, weekly, daily email magazine. Oh, and I want all the updates whenever they update their software/web page, etc...
I currently get 7-8 emails a day at that address.. about twice a week I get one from Hotmail Staff telling me my mailbox is full..
Re:File extensions (Score:2)
Moderate Chris Hiner's post UP.
Re:Password in the cookie? No-one's *that* dumb :) (Score:2)
what's wrong with using the password for a permanent cookie? someone with the cookie can do anything you can do (post comments, submit articles), so why is it a big deal if they have your password?
otoh, for something like web-based e-mail where you log in for a few minutes, you want the authentication gone when you leave the computer.
(i wonder what hotmail does if you check the "remember my password" option..)
--
Totally false (Score:2)
The proper extension for a Word file with macros is ".dot", because it's a template (a Word template is a dynamic object which produces documents, a Word document is a static object and can't contain code) - just because Word is too stupid to complain if you name it ".doc" doesn't change that. What you're saying is like insisting that a ".jpg" can hold formatted text, arbirary JavaScript, and hyperlinks because if you rename an ".html" file to ".jpg" IE will still open it as HTML.
At any rate, my program detected macros in files with the extension ".doc". It wasn't a program idea, it was a working program that I tested and proved effective.
From http://www.emergency.com/wordvrus.htm [emergency.com]:
An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC.
I hate pathetic morons who go around insulting people for imagined mistakes without checking their facts.
Re: (Score:2)
On the flip side... (Score:2)
Everyone who saw it, including my boss, agreed that it solved the problem completely. However, nobody installed it, and nobody outside of my department was shown it. It was almost certainly deleted shortly after I left the company, and the vulnerability (to a few specific viruses) solved several months later by purchasing expensive anti-virus software.
Home users have an excuse: most of them are ignorant. They have a vague idea of some portion of what's on their hard drive and what's on the internet, and of the difference between an application and a document. Corporations, though, want a simple solution: money out, invulnerability to viruses in. The answers have been jumping up and biting them on the nose from any halfway decent MIS department, from security websites, from annoyed articles in the trade papers, but the managers involved want their computers to "just work", and not be bothered with having to think (or making all their employees apply common sense, which, I must admit, is about as difficult as teaching cats to march in formation).
(OT?) Linux alternatives for web mail? (Score:2)
Has anyone used this, or similar programs? How well do they work? How insecure are they?
It'd be nice to set up an alternative web mail system....
---
IMG tags in emails... (Score:3)
Wonder if this could be exploited further?
No, I wouldn't. (Score:2)
Why would anyone in their right mind let unknown people run foreign code on their machines? Yes, I get executable attachments sometimes myself, but why would I want to run code that does who knows what? I guess I just know too much about the kind of people out there. Yeah, maybe that's it.
Just goes to show, once again, that there are two kinds of people in the computer world -- those who know what they're doing and understand the technology, and those who are along for the ride and depend completely on their "gurus" for anything even the slightest bit off the routine.
I have to rant a little about this because around here 9 times out of 10 people come to me to bail them out when they screw something up, and only one of my jobs pays me for that. I have very little trouble believing that quite a few people would answer "yes" to your question, and not much more trouble believing that they would come whining to more clueful people about getting their files back afterwards.
("No, you don't understand. You FORMATTED the hard drive. That ERASES the hard drive. Unless you backed up those files which were ON the hard drive, they're gone. Sorry
MS Must be Implementing a Fix Right Now (Score:2)
I'm hella pissed, though, because the mail I was sending was to a headhunter I've been talking with about a sweet Linux job and I don't know if it went through or not.
It's enough to make a person switch over to PEmail. Old habits die hard, though. I've been using Hotmail since before M$ bought them.
-carl
You'd be surprised. (Score:5)
Re:Gimme mod points, quicky! (Score:2)
*gasp*!
Pablo Nevares, "the freshmaker".
Dealing with human tendencies (Score:3)
"If you tell a man that there are millions of stars in the sky, he'll believe you. If you caution a man about wet paint, he'll have to touch it before he'll believe you."
You can remind people ad nauseum that you shouldn't execute programs attached to e-mails because they might contain viruses. Most won't remember or believe you until they experience a virus infection for themselves.
--
Re:You'd be surprised. (Score:2)
I decided not to have the link cause you to profess your love for Bill Gates to this thread. Instead I set up a sid here [slashdot.org].
numb
not just hotmail... (Score:3)
the next step is a worm that affects web discussion forums. i wouldn't be at all surprised if slashdot was its main target, just because of slashdot's size and the fact that javascript's security model is messed up on all browsers.
--
Hooray for Javascript (Score:3)
A quick summary: javascript in a rogue cookie on a hostile site tells Hotmail to send its own cookies to someone else. Once that person has those cookies, he has all the authentication he needs to use/abuse the original person's Hotmail account.
Re:Formatting the same as erasing? (Score:2)
But that's beside the point. The fact that it re-initializes the directory structure and allocation tables is nowhere near as big of an issue as the fact that it erases all data on the drive!!!!
Here's an analogy:
Stepping on the accelerator in a car will:
- A) increase the RPM of the engine
- B) make the car go faster
Yes, both are true, but so what? When a driver steps on the accelerator, it's because he wants B) the car to go faster. 99% of all drivers aren't that concerned about the engine RPM, even if they know what it is.Re:Formatting the same as erasing? (Score:3)
Usually it doesn't actually. The data is still there but inaccessable because the OS just reset the allocation tables. You're not really losing the data, you're losing the ability to access the data in the intended mannor, its a byproduct.
Dos even had an "unformat" command.
-- iCEBaLM
"average" has several meanings... (Score:2)
Re:On the flip side... (Score:2)
Sounds like a javascript bug to me (Score:2)
From they way this story is worded, I'm led to belive that you could construct a similear javascript to get the cookies from anywebsite.
Just one more reason that I only use crashscape (Which is what I've been calling that program since 1.1 when I first saw it) with sites I trust. Mostly my bank because they require javascript for some reasons (at least to log in, once I'm logged in I've disabled it with no problems, but that is a pain)
File extensions (Score:5)
(Win98 may default to this too, I don't remember)
I suspect lots of nongeeks leave it at the default...
Wow (Score:3)
I'm sure that pretty much everyone here has or has had a Hotmail account at some point in the past. Quick poll: How long did you use Hotmail, and why did you finally give it up?
The basic problem is... (Score:2)
There are many alternatives to Outlook Express (in the case of the love bug) or Hotmail, but people that are too lazy to properly evaluate the suitability and safety of their tools will get hurt. This happens with physical tools
That taiwanese-brand hammer is way more likely to split and send shards into your eye, but is that your fault or the manufacturers fault? In the US, it is of course entirely the manufacturer's. In the UK, well, the judge would make an arbitrary partition and say it was maybe 60% the manufacturers fault, and 40% mine. Of course the UK approach is much less sane.
Re:question about the above statement (Score:5)
I think there're a number of people you could assign the blame to, but no one entity that's "fully stupid". Users should be more careful, Hotmail should attempt some filtering, but most importantly the w3c should provide a means of denoting "third-party" HTML (and other documents) that appears to be from the server, but in reality was placed there by someone else (such as an attachment to an email or a comment in a message board that doesn't restrict HTML).
I'd call it "resetting the filesystem" (Score:2)
11 months and still counting. (Score:2)
Re:Formatting the same as erasing? (Score:2)
Re:Gimme mod points, quicky! (Score:2)
Re:Gimme mod points, quicky! (Score:2)
Who opens these? (Score:2)
Most people wouldn't think twice about opening a snail mail package addressed to them, even if it has not return address on it, and seems somewhat heavy. That's why the unabomber managed to rack up a pretty decent string before being caught. People don't tend to think that bad things will happen to them when they are using tools that they deal with everyday without understanding.
To put it another way, while most people think of themselves as fairly decent drivers, how often in the past week have you been cut off, or had the guy in front of you make a turn without signalling? People get so used to using tools that they become careless; this is compounded if the person doesn't understand how the tool that they are using works, or at least had it drilled into their heads the way to safely use the tool.
It's just a matter of time before people get more careful about opening things they're not sure are safe. I imagine Thag got a lot more careful with fire after watching Thog torch himself.
The acutal nature of the Hotmail hole (Score:5)
The folks over at Hotmail were smart enough to filter out JavaScript from HTML formatted messages sent to Hotmail recipients. They did not, however, think that it would be necessary to filter HTML attachments, either. As a result, a clever individual was able to construct an HTML page containing JavaScript which forwards HotMail authorization cookies to a third party.
Ironically, this information is largely reproduced from the article on Peacefire [peacefire.org] cited in the original post. No mention of VBS files anywhere.