[1stPickPCHelp] Microsoft patches critical Hotmail hole

• From: "Mike" <mikebike@xxxxxxxxx>
• To: 1stpickpchelp@xxxxxxxxxxxxx
• Date: Tue, 23 Mar 2004 17:31:45 -0800

Microsoft patches critical Hotmail hole
http://www.smh.com.au/articles/2004/03/24/1079939690076.html
By Sam Varghese
March 24, 2004

Microsoft has responded promptly to the discovery of a critical
vulnerability in its Hotmail service and issued a patch in less than two
days, according to an advisory posted by GreyMagic Software, an Israel-based
security company. 

However, GreyMagic said in its posting to the Bugtraq list that it had found
a similar flaw in Yahoo!'s webmail service but found it impossible to
contact the company. 

GreyMagic said it had started work on the issue with Microsoft on March 11.
"They have quickly confirmed our findings and were able to produce a fix
less than two days later. As a result, Hotmail is no longer vulnerable to
this method of exploitation," the advisory said. 

"All attempts to contact Yahoo unfortunately failed. Mail was sent to
security and secure at yahoo.com and at yahoo-inc.com, no replies were
received to date." 

The vulnerability is a cross site scripting or XSS flaw. To exploit such a
flaw, a web application is sent with a script that activates when it is read
by an unsuspecting user?s browser or by an application that has not
protected itself against cross-site scripting. 

GreyMagic found that it was possible to exploit the flaw when people
accessed their Hotmail or Yahoo! mail accounts using Internet Explorer. 

The company said a malicious attacker could exploit the flaw and it could
result in theft of login and password; disclosure of the content of any
email in the user's mailbox; automatic dispatch of emails from the mailbox;
exploitation of known vulnerabilities in the browser to access the user's
file system and eventually take over the machine; distribution of a
web-based email worm or disclosure of all contacts within the address book.

From; The Sydney Morning Herald

Mike ~ one of the Moderators
It is a good day if I learned something new.
Editor MikesWhatsNews http://www.mwn.ca/ 



~*~*~*~*~
Was this forwarded to you?  Want to subscribe?  Send an email 
to 1stpickpchelp-request@xxxxxxxxxxxxx?Subject=subscribe.

For a complete list of email commands for our list send an email 
to ecartis@xxxxxxxxxxxxx with a subject of "info 1stpickpchelp" without the 
quotes.

If you wish to unsubscribe from our list send an email 
to 1stpickpchelp-request@xxxxxxxxxxxxx?Subject=unsubscribe

To contact the list moderators send an email to 
1stpickpchelp-moderators@xxxxxxxxxxxxx
~*~*~*~*~

Other related posts:

• » [1stPickPCHelp] Microsoft patches critical Hotmail hole

1. Home
2. 1stpickpchelp
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---