Hotmail, Yahoo Users at Risk of PC Takeover

HomeSecurity
Ryan Naraine
By Ryan Naraine

A potentially serious security flaw found in Web-based e-mail services
offered by Microsoft and Yahoo could put millions of PCs at risk of takeover, an Internet
security research firm warned Tuesday.

Israel-based security consultants GreyMagic issued the advisory
with a chilling warning that attackers could inject malicious code by simply
sending an e-mail to an unsuspecting Hotmail or Yahoo user.

The vulnerability only affects Hotmail and Yahoo running on Microsoft’s
Internet Explorer (IE) browser.

“When the victim attempts to read this email, the code executes and may
result in severe
consequences,” the company said. Successful exploit could lead to theft of
a user’s login and password, disclosure of the content of any e-mail in the
mailbox and disclosure of all contacts within the address book.

Additionally, GreyMagic said the attacker could manipulate the system to
automatically send e-mails from the mailbox and to exploit vulnerabilities in IE to access the user’s file system and eventually take over his or her machine.

The company said Microsoft reacted to its warning with a fix for the
flaw. However, GreyMagic said all attempts to contact Yahoo’s security
department failed, meaning that Yahoo’s users are still vulnerable. Efforts
by internetnews.com to contact Yahoo at press time were
unsuccessful.

GreyMagic said that many other Web-based e-mail services may be
vulnerable to the flaw, since it is a completely new way to embed script.

The company released a proof-of-concept demonstration with its advisory,
noting that the vulnerability makes use of an IE technology called HTML+TIME
(based on SMIL), which is meant to add timing and media synchronization
support to HTML pages.

One of the features of HTML+TIME is the ability to manipulate any
attribute on an element via special control elements. For example, GreyMagic
explained, the element exposes the attributes “attributeName”
and “to”, which make it possible to inject ANY HTML content to the document
when “attributeName” is set to “innerHTML”, and “to” is set to any HTML the
attacker would like to execute, including script.

Previous article
HP’s ProLiant BL20p Grabs Server Hardware Award
Next article
EchoView E400 Takes Top Storage Honor

Similar articles

Get the Free Newsletter!
Subscribe to Data Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Data Insider for top news, trends & analysis
This email address is invalid.

Latest Articles

Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation’s focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.

Advertisers

Advertise with TechnologyAdvice on Datamation and our other data and technology-focused platforms.

Advertise with Us

Menu

Our Brands

Property of TechnologyAdvice.
© 2023 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.