Hotmail, Yahoo Users at Risk of PC Takeover

  Post new topicReply to topicPrintable Version
<< View previous topic View next topic >>
Share: Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
#1   Hotmail, Yahoo Users at Risk of PC Takeover
Kelly_Hero
PayPal Donation
CZ Revered Member
 Codezwiz Site Donator
usa.gif southcarolina.gif
Occupation: Web Developer
Age: 59
Gender: Female
Website:
Status: Offline
Joined: Aug 20, 2003
0.48 posts per day
Posts: 3765
Points: 351,412
   
March 23, 2004
Hotmail, Yahoo Users at Risk of PC Takeover
By Ryan Naraine


A potentially serious security flaw found in Web-based e-mail services offered by Microsoft (Quote, Chart) and Yahoo (Quote, Chart) could put millions of PCs at risk of takeover, an Internet security research firm warned Tuesday.

Israel-based security consultants GreyMagic issued the advisory with a chilling warning that attackers could inject malicious code by simply sending an e-mail to an unsuspecting Hotmail or Yahoo user.

The vulnerability only affects Hotmail and Yahoo running on Microsoft's Internet Explorer (IE) browser.

"When the victim attempts to read this email, the code executes and may result in severe consequences," the company said. Successful exploit could lead to theft of a user's login and password, disclosure of the content of any e-mail in the mailbox and disclosure of all contacts within the address book.

Additionally, GreyMagic said the attacker could manipulate the system to automatically send e-mails from the mailbox and to exploit vulnerabilities in IE to access the user's file system and eventually take over his or her machine.

The company said Microsoft reacted to its warning with a fix for the flaw. However, GreyMagic said all attempts to contact Yahoo's security department failed, meaning that Yahoo's users are still vulnerable. Efforts by internetnews.com to contact Yahoo at press time were unsuccessful.

GreyMagic said that many other Web-based e-mail services may be vulnerable to the flaw, since it is a completely new way to embed script.

The company released a proof-of-concept demonstration with its advisory, noting that the vulnerability makes use of an IE technology called HTML+TIME (based on SMIL), which is meant to add timing and media synchronization support to HTML pages.

One of the features of HTML+TIME is the ability to manipulate any attribute on an element via special control elements. For example, GreyMagic explained, the element exposes the attributes "attributeName" and "to", which make it possible to inject ANY HTML content to the document when "attributeName" is set to "innerHTML", and "to" is set to any HTML the attacker would like to execute, including script.



Back to top Reply with quote
#2   
osmosis
CZ Addict
ireland.gif
Occupation: Student
Age: 37
Gender: Male
Status: Offline
Joined: May 29, 2003
0.06 posts per day
Posts: 495
Points: 12,092
   
im safe muhahahahaha icon_cool.gif ...... comp wont let me access any mail servers lol, also wont let me open my programs, but at least theres 1 upside to my probs, though i should be vulnerable again by weekend when comp will be fixed (hopefully)



Back to top Reply with quote
#3   re: Hotmail, Yahoo Users at Risk of PC Takeover
redhot_2oo3
PayPal Donation
CZ Moderator
uk.gif
Occupation: Codezwiz Elf
Website:
Status: Offline
Joined: Aug 26, 2003
0.08 posts per day
Posts: 633
Points: 25,047
   


Efforts by internetnews.com to contact Yahoo at press time were unsuccessful.


Well there's a familiar theme. It gives more credability that the servers at Yahoo are running the show after devouring the human staff. icon_eek.gif




_________________
Back to top Reply with quote
#4   re: Hotmail, Yahoo Users at Risk of PC Takeover
annetje77
CZ Addict
belgium.gif
Age: 46
Gender: Female
Website:
Status: Offline
Joined: May 31, 2003
0.05 posts per day
Posts: 364
Points: 1,780
   
Only in IE? no other browser?
And in a mail program like Outlook or Outlook Express?




_________________
Greetz An
[ Register or login to view links on this board.]
Back to top Reply with quote
#5   re: Hotmail, Yahoo Users at Risk of PC Takeover
RedWolf111
CZ Addict
usa.gif wisconsin.gif
Occupation: Owner of MR Kettle Corn
Age: 54
Gender: Male
Status: Offline
Joined: Jun 02, 2003
0.07 posts per day
Posts: 572
Points: 135,122
   
I could have told those experts that Yahoo cannot be reached. Just try to contact them for an id that was cracked... icon_rolleyes.gif


RedWolf111




_________________
[ Register or login to view links on this board.] You never know what you can find at TWFsales. Stop in today for some great deals.
Back to top Reply with quote
#6   re: Hotmail, Yahoo Users at Risk of PC Takeover
Tuffy
CZ Addict
 Codezwiz Site Donator
usa.gif newyork.gif
Occupation: Wedding Photographer
Age: 59
Gender: Female
Fav. Sports Team: NY Mets
Website:
Status: Offline
Joined: Nov 20, 2003
0.09 posts per day
Posts: 724
Points: 127,871
AIM Address Yahoo Messenger  
icon_cool.gif LOL - that was a great response there Red - maybe you should send Kevin in to fix it!



Back to top Reply with quote
#7   re: Hotmail, Yahoo Users at Risk of PC Takeover
RedWolf111
CZ Addict
usa.gif wisconsin.gif
Occupation: Owner of MR Kettle Corn
Age: 54
Gender: Male
Status: Offline
Joined: Jun 02, 2003
0.07 posts per day
Posts: 572
Points: 135,122
   
I agree with Tuffy....lets all give a big cheer for Kevin...."Gooooooooooooo Kevin"...lol




_________________
[ Register or login to view links on this board.] You never know what you can find at TWFsales. Stop in today for some great deals.
Back to top Reply with quote
Display posts from previous:      
Add To: Del.icio.us  Digg  Google  Spurl  Blink  Furl  Y! MyWeb  
<< View previous topic View next topic >>
Post new topicReply to topic

Jump to 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum