Yahoo and Hotmail Filter Flaw 250
gandam writes "Israeli computer security firm GreyMagic Software has detected a serious security flaw in Yahoo's Web e-mail service and Microsoft Corp.'s Hotmail service, which could allow hackers to run malicious scripts on users' computers. I tried sending a mail to my yahoo account and it never reached my mailbox. According to the website, all attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com. No replies were received to date. Works only in IE5, though."
Works only in IE5, though? (Score:5, Funny)
No freakin' WAY!?
Re:Works only in IE5, though? (Score:5, Informative)
However, Hotmail completely filters out that element, so another method of namespace declaration is needed. It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction, which may be used anywhere in the document and does not get filtered.
Re:Works only in IE5, though? (Score:2, Interesting)
Re:Works only in IE5, though? (Score:2)
That won't protect you if Microsoft dec
Re:Works only in IE5, though? (Score:2)
If the standards are not adhered to, the different systems cannot interoperate, and the Net becomes homogenous (single system only) by neccessity.
Simply because two systems have compatible interfaces (such as TCP/IP stacks, HTTP transport agents, or HTML viewers) does not mean that both would have same vulnerabilities. After
Re:Works only in IE5, though? (Score:5, Informative)
I just tried it on IE6, and it works there too - should have said "IE5 upwards", I suppose.
(For those who don't know, MS's versioning is so bizarre that IE5 and IE5.5 are different in more than minor version number, while IE6 is pretty much IE5.5.1. No, I don't understand either; but I'm always glad of a reminder of why I use a Mac these days :-)
Version numbers are almost meaningless (Score:5, Interesting)
When I worked for a VLSI team in Boston in the late eighties, our CAD vendor had a support contract which promised one major release a year. But it was almost a year since version 4.0, and their new release wasn't ready. So they just patched their latest release (4.2) with some bug fixes and a few minor features, and shipped it as 5.0. Everyone could see it was basically the same as 4.0 + patches.
When version 5.1 came out a few months later, that was a huge change over 5.0! They replaced their standard menu-for-newbies + hotkeys-for-experts interface with the most hideous UI I've ever had the misfortune of using. It was based on "mouse gestures." You were supposed to "draw" a D with your mouse to delete a selected object, for instance. Half the time it would get the wrong gesture. Our productivity dropped precipitously, but because the 5.0 release had been rushed, there were bugs that were fixed in 5.1 and we couldn't work with the 5.0. So many customers complained that they quickly came out with 5.2, which was just 5.0 with the known bugs fixed.
So I've learned that the positions of the digits don't necessarily mean anything. Hell, you can't even assume monotonicity all the time!
Re:Works only in IE5, though? (Score:2, Informative)
MS's versioning is so bizarre that IE5 and IE5.5 are different in more than minor version number, while IE6 is pretty much IE5.5.1
I wouldn't agree with your assesment that IE6 was a minor update to IE5.5. IE5.0 to 5.5 was probably a bigger change (and should have been called 6.0), but there were some big changes [microsoft.com], including print preview, privacy enhancements, .NET WinForm hosting, that damn image toolbar, and most importantly, big improvements in CSS [microsoft.com].
Re:Works only in IE5, though? (Score:3, Informative)
The IE/Mac codebase is totally different from the IE/Windows codebase. But, like any sensible Mac user, I use Safari these days.
For those who want to know, I've just tested on IE/Mac v.5.2.2, and it's not vulnerable.
Re:Works only in IE5, though? (Score:2)
You should upgrade, current release is 5.2.3. some kind of bug/hole in 5.2.2.
Re:Works only in IE5, though? (Score:2)
Nobody used it anymore. We have too many good options.
Mozilla, Firefox, Camino, Safari, the new Opera...
Take your pick!
Re:Safari (Score:2)
Re:Works only in IE5, though? (Score:2)
The version numbering system for IE for Mac is a little more sane than IE for Windows. I think IE for Mac OS X is on 5.2.3, which makes a lot more sense than "Internet Explorer 6 Service Pack 1" - is it the browser with the upgrade already installed, or is it only the upgrade for an existing installation? Or is it both?
I guess it makes about as much sense as Netscape skipping from 4.08 to 4.5, and from 4.8 to 6.0, skipp
Re:Works only in IE5, though? (Score:2)
That's because like so many others [slackware.com] they decided to treat the version number as a marketing ploy.
God, remember when it actually meant something? Gone are those days.
Re:Works only in IE5, though? (Score:2, Informative)
When NN4 came out, Netscape was busy at work on the Netscape 5 codebase (what eventually became Mozilla). After about a kazillion slipped deadlines, and the battering of the free and pre-installed IE4 that they competed against on Windows, Netscape open-sourced the moribund and convoluted Netscape 5 codebase as the Mozilla Project. To show they still had some hope for the future, Netscape 4.5 was introduced as an interim release--one which
Re:Works only in IE5, though? (Score:2)
Of course, when it comes to computers most of my people are...
RTFA: *NOT* an IE bug. (Score:5, Informative)
An attacker could craft an HTML email that, when viewed in your inbox on Yahoo or Hotmail will execute some JavaScript or other script code from within the context of the Hotmail.com or Yahoo.com window. So it could do nasty things like deleting your messages automatically, forwaring your emails to another address, etc.
It does NOT allow your computer to execute native code unless the attack exploits some other browser-specific vulnerability.
Webmail will always be succeptible to these kinds of attacks if it does not carefully filter out HTML using any number of obscure features to insert malicious script in the Hotmail.com output.
Re:RTFA: *NOT* an IE bug. (Score:3, Insightful)
(mostly).
While it's true that this is a filtering bug in Hotmail and Yahoo, the reason it's a problem is because "It so happens that Internet Explorer provides one other mechanism to declare a namespace, via the non-standard <?xml:namespace> processing instruction.
So once again, the web designers have to work around IE's non-standards compliance.
Re:RTFA: *NOT* an IE bug. (Score:2)
Should they release a patch which removes said (non-standard) feature?
Re:RTFA: *NOT* an IE bug. (Score:4, Insightful)
Besides, MS have shown in the past that they're happy to completely remove [theregister.co.uk] completely standard features that have completely legitimate uses rather than just fixing the bug that makes them dangerous, so why should they find removing a nonstandard feature any more of a problem?
Microsoft have cornered the market with a bugridden browser that they have no motivation to improve by bundling it with standard windows - no web developer wants to alienate 95% of their visitors by refusing to support such a broken piece of software, so web developers are stuck in the continual situation of having to work around the bugs in IE rather than using all those cool features [w3.org] that every other browser supports (and have supported for a long time).
IE vs. Open Systems and Standards (Score:4, Interesting)
Well, like most /. folk, I'm using Firefox on BSD on an SPARC.
If you lets your friends and relatives use Windows and IE, then you are only harming them (and the rest of us who get slammed by their viruses trying to break mutt on my machine).
Take the needle out. Put down the crack pipe.
Really, the web took off because it was platform independent and full of juicy goodness.
"Must us IE" or "best used with IE" means that they should STOP using http to transfer their garbage and only serve on MSN.
Really. The web sucked the business out of Compuserve for a good reason. Open Platforms and Open Standards were the big attraction. Remember?
---
During the myDoom.* fest, I asked our SVP about looking at deploying Linux on the desktop for users who don't truly actually REQUIRE MS and MS tools.
He asked if I "thought Linux was ready for the desktop here."
"Hmmm," said I, "I'm not 100%. But do you think Windows is?"
Re:IE vs. Open Systems and Standards (Score:5, Funny)
Man, I didn't realize I was so lame. I didn't know most people on
Re:IE vs. Open Systems and Standards (Score:2)
Re:Works only in IE5, though? (Score:3, Insightful)
The point is, filtering HTML is a hard problem. Few sites get it 100% correct. To call a XSS bug in Hotmail an IE bug is to completely misunderstand the problem. Similarly, to call a page-widening bug an IE problem completely misses the point.
Should a user-agent render breaks at its own whim? Probably not. If a user-agent does not render spaces at its own whim, is it a bug? Probably
Better free email (Score:4, Informative)
Myway [myway.com] is also great as a portal or homepage, it's much more customizeable than any other site I've seen, and again, no banners or popups.
You can also read all AP and Reuters stories with no registration, and there's partner links to NY Times and other reg-req'd sites (great for submitting articles to Slashdot).
Re:Better free email (Score:2)
--
Hot deals. You won't be sorry! [dealsites.net]
Re:Better free email (Score:2)
Does it have Pay for POP3 access? (Score:5, Insightful)
I love being able to use yahoo with pop3, I like it a lot better than my ISP email.
Also you know what's funny? myway.com is in my hosts file routed to 0.0.0.0. It's blocked from my computer, as a ad/spam domain. I unblocked it, and I can't see any features of myway on their site. It looks like an almost identical clone to yahoo. It goes back in the hosts file.
I think I'll stick with good ol' reliable yahoo. It's only been down once in the past two years.
BTW, I use linux, so I don't need to worry about this silly IE vulnerability. (I don't even use the webclient anyway).
Re:Does it have Pay for POP3 access? (Score:3, Informative)
Re:Does it have Pay for POP3 access? (Score:4, Interesting)
Re:Does it have Pay for POP3 access? (Score:3, Informative)
Re:Does it have Pay for POP3 access? (Score:2)
2 pieces of spam? You are clearly joking. (Score:2)
The irritating thing is that at least 5 or 6 make it to my Inbox that could have been clearly filtered.
Also false positives are common, so I am forced to check the last page of spam for legit messages before removing the full lot.
Very dissapointing, specially since early adopters like me, that got a yahoo.com address have to pay for POP3 access (the people sying you don't have to are clearly uninformed). WIth POP3 I w
Re:Does it have Pay for POP3 access? (Score:2)
Myway uses adware. (Score:5, Informative)
Sorry, but I'm not willing to get email with a service that supports the use of adware/scumware.
Re:Myway uses adware. (Score:4, Funny)
Re:Myway uses adware. (Score:3, Informative)
Re:Myway uses adware. (Score:4, Informative)
I looked at the linked page, but although it made several accusations, it almost, but not quite, actually backs up those accusations with facts. It's rather vague. For instance, the "How does it Violate Privacy?" doesn't say how it violates privacy. WTF?
What's strange also is that in contrast to the article, the ratings are as low as possible. All of them are:
"1 - The lowest on the scale of 1 to 5, exhibiting a few potentially harmful or scummy traits with little effect on the end user.".
vim would receive the same ratings.
I'd never looked at the scumware site until now, but I do hope that their reviews more often than not include some useful information. I'd like to have an informative scumware site to look information up at.
Re:Better free email (Score:2)
phew... (Score:4, Funny)
only works in IE5 though...
hmm... <mouseGesture>down-right</mouseGesture>
More details for those interested (Score:5, Informative)
Tried submitting this a couple of times since yesterday but the submission system seems to have picked up a few bugs of its own where it says "Thanks for the submission" but nothing shows up in the queue. Here are the details...
Yahoo, Hotmail Users Vulnerable to XSS PC Attack
Both Yahoo Web e-mail and Microsoft Hotmail are vulnerable to an Internet Explorer cross-site scripting (XSS) attack [infoworld.com] that lets malicious users run local code, according to Israel's GreyMagic [greymagic.com] security consultants (proof of concept [greymagic.com]). Possible consequences range from theft of login and password to a remote takeover of the compromised machine. Reports indicate that Microsoft has patched the hole but Yahoo has yet to solve the problem. The vulnerability presumably affects Windows PC-based versions of Internet Explorer only. Some people might want to read this developerWorks article on how to prevent cross-site scripting and protect oneself [ibm.com], mentioned last month [slashdot.org] on Slashdot. More coverage at InternetNews [internetnews.com] and The Register [theregister.co.uk].
Re:phew... (Score:5, Informative)
Well, that is what the article says, but the proof of concept page [greymagic.com] also works in IE 6.0 (6.0.2800.1106)
As it happens, provoked by receiving he Netsky virus embedded in an html email in Outlook that attempted to launch via an iframe, I happened to download Spybot Search and Destroy.
Using Spybot Search & Destroy, I found out about another Grey Magic discovered vulnerability, Executing arbitrary commands without Active Scripting or ActiveX [greymagic.com]. I also discovered that I'd apparently had an Alexa phone-home browser extension installed as a "Browser Helper Object" in IE, god knows for how long.
I've been using Mozilla FireWhatever for quite sometime, eschewing Internet Explorer except for those sites that don't work with IE or for testing my own sites in IE. But clearly, even a careful user with an up-to-date copy of IE and a firewall, isn't safe, principally because rather than concentrate on security and getting what they already have working securely, Microsoft prefers to pile on ever-accumulating layers of non-essential crap like HTML-TIME
I've no idea why someone thought that HTML-TIME, ostensibly for adding "timing and media synchronization support" to HTMl, required the ability to arbitrarily re-write pages. But clearly it's nothing that's desirable in an email.
My course is clear at this point: after repeated attempts, Microsoft still can't get it right, still cannot write a browser that's anywhere near secure. Crap like "HTML + TIME" is NOT worth the risks it brings with it -- especially when the risks are borne by the end-user in order to make life easier for (generally commercial) web site developers. Boycott IE, and boycott sites that only work in IE -- even if -- especially if, they use Microsoft extensions like "HTML + TIME".
Re:phew... (Score:3, Interesting)
You're advocating boycotting the POS browser that at least 95% of people use. While a noble cause, IE is here to stay, warts, bugs 'n all. The best you can probably do it get your friends/family converted (no more popups!), but corp America won't go for it, and neither will Grandmaw who can't install jack shit (except for gator and hotbar, of course).
If only FireFox would take a page from these slimebags and make it as easy to install the better browser
Use their own tactics (Score:2)
That's actually a pretty good idea, at first glance anyway:
Promote Fire/Moz~ the way gator, or Monkey, or wondertoolbar, whatever that crap is people install. Don't look at from the tech view that most of us here share, look at it from grandmas view, and take a page from the marketers. Don't make them feel foolish for not swit
Re:phew... (Score:2)
If only FireFox would take a page from these slimebags and make it as easy to install the better browser as it is to install Hotbar. We could get way more
Re:phew... (Score:2)
I have never heard of HTML-TIME and just looked at the specification [w3.org]. I have now read the entire thing. There is nothing in that entire specification that can't be accomplished (and in all likelihood, better and more flexibly accomplished) by giving Javascript access to a more accurate timer (the same one that HTML+TIME will need to work correctly), a couple of additional properties on reflected movie object, and a Javascript library (where each library could offer different things to different us
Re:phew... (Score:3, Informative)
I believe the Alexa BHO you saw is one that Microsoft includes in IE's for the "Show Related Links" tool. This is similar to Netscape and Mozilla's "What's Related" button. This BHO only phones home when you do "Tools -> Show Related Links"
Alexa also makes a separate downloadable toolbar that shows related links automatically on each
Re:phew... (Score:2)
Or maybe you have Firefox with mouse gestures...
Only in IE5 (Score:2, Interesting)
Still, I've got friends who run IE, and now they'll have incentive to learn the true joys of Mozilla FireFox.
Thanks for the heads-up.
hanzie
Re:Only in IE5 (Score:5, Informative)
Re:Only in IE5 (Score:3, Insightful)
Methinks it's because techies don't use IE, (simple enough), rather than fewer people using IE.
The results are skewed simply by the nature of the site hosting the test. That'd be kind of like ISO.org hosting a poll asking whether or not their visitors were Linux users.
Re:Only in IE5 (Score:2)
Re:Only in IE5 (and above). (Score:2, Informative)
Redeem yourself. (Score:2)
Terrorist.
Only in IE*5*? (Score:2)
new spamming opportunity (Score:4, Funny)
Once I do this, I will be able to afford that sould I've been eying on eBay all week.
Another reason (Score:3, Interesting)
Yes, it is a troll. No security problems are shown (Score:3, Informative)
Well, number 224853 shouldn't scare you. It is entirely about Mozilla politics, and doesn't involve software at all.
Number 204506 says, "Actual Results: I can enter maxlength + 1 characters into a input field." That doesn't sound very scary. There is no mention of running code in the extra byte.
Bug 182176 says, "This is not much of a security hole since chrome can read any file anyways and non-trusted content can't use chrome URLs. It's worth fixing in case some future exploit allows untrusted conte
Hotmail evidently fixed (Score:4, Informative)
"Solution: GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation. All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date. "
Re:Hotmail evidently fixed (Score:5, Insightful)
Well, all I can say is: See how Microsoft worked with a (foreign) company and fixed the problem less than 2 days after hearing about it. This company is clearly focused on security.
Re:Hotmail evidently fixed (Score:2)
Re:Hotmail evidently fixed (Score:5, Insightful)
Re:Hotmail evidently fixed (Score:2)
And you are talking about a sample size of 1 for websites as a source of news.
And a highly biased one at that.
Re:Hotmail evidently fixed (Score:2)
I'm not sure about that... Hotmail is essentially one b
Don't attribute speediness to the business model (Score:3, Interesting)
You say this company is clearly focused on security; well, it should be, after all the trouble Microsoft has been through recently (all those exploits for windows that were, needless to say, pretty major).
Whatever people may say, Microsoft has
Re:Hotmail evidently fixed (Score:2)
Respsonding to a comment currently rated by
C'mon Bill, you don't need this subversive PR, tell us what you really think [slashdot.org].
Re:Hotmail evidently fixed (Score:2)
I see no evidence of Microsoft doing any such thing.
I DO see evidence of certain TECHS at Microsoft making tiny tweaks to their filters. But MICROSOFT as a whole remains the same stubborn, unresponsible slug they always have been. They're not any more focused on security than the RIAA is on protecting the rights of its artists. They just want to look like they are.
Re:Hotmail evidently fixed (Score:2)
That's a job for the MS publicity department. We're (in a way) the open source publicity department, so it's not our problem.
See how Microsoft worked with a (foreign) company and fixed the problem
Microsoft is a big company. The Hotmail team has been doing a great job for a while now, the macdev team produces a version of Office for OSX that is considered by many to be superior to the Windows version, the hardware division puts their name on decent m
Re:Funny, Funny, Funny...! (Score:2)
I'm not sure if you are an Astroturfer or not - your posts are pretty one-sided.
But, I'll bite anyway. There are many reasons to "give labor away" - one of the best is all the free labor it gives back!
See, OSS is frequently much like love - the more you give, the more you get back in return.
If I give away a li
Re:Hotmail evidently fixed (Score:2)
Yahoo! will fix the problem, if it is indeed a problem that is as represented here on slashdot (hah). They'll fix it and won't make much of a stink about it because its a bug in IE that they will have to write around.
Besides, as far as I'm concerned its not really an issue with Yahoo! mail or Hotmail anyway, its an issue with IE5, since the problem is only exploitable through IE5.
my summary: yawn. this is just reason #632 to not
Works only in IE5, though (Score:4, Insightful)
Seriously, folks -- I have said it before and I'll said it again -- do not use Microsoft products when it comes to the Internet.
If you care, even minimally, about security, then Firefox and Thunderbird should be installed by default on your Windows machine instead of Internet Explorer and Outlook.
This was the case in one of the companies I worked for, and they had almost zero virus problems in two years.
Re:Works only in IE5, though (Score:3, Insightful)
Is not people like you that worries me. (Score:3, Insightful)
For the people that have got not a clue, the recommendation of the poster preceding your post is timely and accurate.
Re:Works only in IE5, though (Score:2)
You know... This Hotmail / Yahoo exploit appeared because IE could do too much. Ironic huh?
Lambskin condoms (Score:2)
You sound just like a guy I know who insisted on using lambskin condoms for years. Now he has AIDS and will probably die soon. Too late to switch. What the fuck are you waiting for? Get Firefox [mozilla.org]. Take back the web.
Attacking my Hotmail Account (Score:5, Funny)
alternatives (Score:3, Informative)
Re:alternatives (Score:2, Informative)
people are always picking on the big guys.
taking notes (Score:2)
Yahoo's too busy responding to my posts (Score:2, Funny)
Sticking with "Old Faithful" is asking for trouble (Score:4, Informative)
It's not the first and won't be the last IE exploit! Be prepared! Don't buy into the monoculture - use "second tier" software whenever possible. Mozilla Firefox [mozilla.org] is a fantastic free web browser with many security features and simple toggles. Eprompter [eprompter.com] is an excellent, simple, and free POP3\Hotmail\webmail client that lets you delete messages server-side before you open\view them.
Most important of all, keep up-to-date with Slashdot and other news services to stay aware of new vulnerabilities!
Re:Sticking with "Old Faithful" is asking for trou (Score:2, Funny)
Not only IE5 (Score:5, Informative)
ALL versions of IE *since* 5 contain this feature, which means that if there's a flaw in the filtering mechanism of the web-based email provider, script will run.
Yep, IE5, IE5.5 and IE6.
Re:Not only IE5 (Score:2)
When it comes to XMLHTTP, ActiveX and security, the quote "Whose teenage nephew designed that pair of clown pants?" comes to mind.
interesting tidbit from the article (Score:4, Interesting)
Wow...I'm actually sort of impressed that Microsoft fixed a vulnerabillity in their product that was pointed out to them in email, rather than ignoring it until it blew up in their face. . .
Hotmail no longer vulnerable (Score:2)
"GreyMagic started work on this issue with Microsoft on 11-Mar-2004. They have quickly confirmed our findings and were able to produce a fix less than two days later. As a result, Hotmail is no longer vulnerable to this method of exploitation.
All attempts to contact Yahoo unfortunately failed. Mail was sent to security and secure at yahoo.com and at yahoo-inc.com, no replies were received to date."
Now thats weird. Microsoft fixing something before its truely made public!:)
Open Source Projects vulnerable? (Score:3, Insightful)
Don't ask about open source projects! (Score:3, Insightful)
You don't use IE but your friends might (Score:4, Insightful)
Now the article says this security flaw allows "Content disclosure of any email in the mailbox." This means that if you have sent anything personal to any mailbox on yahoo or hotmail, this info might be vulnerable, even if you personally don't use IE. The recipient might use IE and get their inbox read by others.
Where is the flaw? (Score:2, Interesting)
Re:Where is the flaw? (Score:3, Informative)
Who is to blame, hmm? (Score:4, Insightful)
Re:Who is to blame, hmm? (Score:3, Interesting)
I still want to know how they would get username/password with javascript. Only way I could think of is to write my own fake loggin screen.
I probably should point out... (Score:4, Interesting)
So what? (Score:3, Informative)
That's quite an "inconvenience" (Score:2, Informative)
That means your entire mailbox can be read and sent to a remote server.
That means emails can be sent from the mailbox.
That means your address book can be accessed.
Running script in general might be an inconvenience, but in this context, it's a big-ass security vulnerability.
If you know of any other such filtering flaws that aren't patched, feel free to point them out. But I assure y
What about IMP and squirrelmail? (Score:5, Interesting)
Hotmail Down on March 12 (Score:2, Interesting)
This is the time when Microsoft was working on the fix. Could the two events be related?
huh? (Score:2)
Viola, problem not solved!
The flaw is in IE, not Yahoo / Hotmail (Score:3, Informative)
This extension has nothing to do with HTML specifications as documented by the W3C.
Yahoo! did nothing bad. The Yahoo! filtering system works. Yahoo is not supposed to deal with every browser specific non-standard extension.
If I release a patch for Mozilla that implements a tag that format your hard disk, should we immediately blame every webmail on the planet because there's a vulnerability here?
No. And the fact that IE is widely used shouldn't mean that it should be a special case and that every program out there should care about its silly specific extensions.