Spyware Warrior Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
 
FAQ :: Search :: Memberlist :: Usergroups :: Register
Profile :: Log in to check your private messages :: Log in

Hotmail, Yahoo Users at Risk of PC Takeover !!!!

 
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Security Notices & News
View previous topic :: View next topic  
Author Message
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Tue Mar 23, 2004 8:25 am    Post subject: Hotmail, Yahoo Users at Risk of PC Takeover !!!! Reply with quote

March 23, 2004
Hotmail, Yahoo Users at Risk of PC Takeover
By Ryan Naraine


A potentially serious security flaw found in Web-based e-mail services offered by Microsoft (Quote, Chart) and Yahoo (Quote, Chart) could put millions of PCs at risk of takeover, an Internet security research firm warned Tuesday.

Israel-based security consultants GreyMagic issued the advisory with a chilling warning that attackers could inject malicious code by simply sending an e-mail to an unsuspecting Hotmail or Yahoo user.

The vulnerability only affects Hotmail and Yahoo running on Microsoft's Internet Explorer (IE) browser.

"When the victim attempts to read this email, the code executes and may result in severe consequences," the company said. Successful exploit could lead to theft of a user's login and password, disclosure of the content of any e-mail in the mailbox and disclosure of all contacts within the address book.

Additionally, GreyMagic said the attacker could manipulate the system to automatically send e-mails from the mailbox and to exploit vulnerabilities in IE to access the user's file system and eventually take over his or her machine.

The company said Microsoft reacted to its warning with a fix for the flaw. However, GreyMagic said all attempts to contact Yahoo's security department failed, meaning that Yahoo's users are still vulnerable. Efforts by internetnews.com to contact Yahoo at press time were unsuccessful.

GreyMagic said that many other Web-based e-mail services may be vulnerable to the flaw, since it is a completely new way to embed script.

The company released a proof-of-concept demonstration with its advisory, noting that the vulnerability makes use of an IE technology called HTML+TIME (based on SMIL), which is meant to add timing and media synchronization support to HTML pages.

One of the features of HTML+TIME is the ability to manipulate any attribute on an element via special control elements. For example, GreyMagic explained, the element exposes the attributes "attributeName" and "to", which make it possible to inject ANY HTML content to the document when "attributeName" is set to "innerHTML", and "to" is set to any HTML the attacker would like to execute, including script.

[/b]
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
suzi
Site Admin


Joined: 27 Jul 2003
Last Visit: 19 Oct 2017
Posts: 10420
Location: at the beach

PostPosted: Fri Mar 26, 2004 9:04 pm    Post subject: Reply with quote

Has there been any news of a fix for this problem?
_________________
Former Microsoft MVP 2005-2009, Consumer Security
Please do not PM or Email me for personal support. Post in the Forums instead and we will all learn. Smile
Back to top
View user's profile Send private message Visit poster's website
wawadave
Warrior Obsessed


Joined: 25 Jan 2004
Last Visit: 24 Jul 2009
Posts: 3448
Location: Illegitimus non carborundum

PostPosted: Fri Mar 26, 2004 10:24 pm    Post subject: Reply with quote

not seen any thing for it yet.
_________________
RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd
Back to top
View user's profile Send private message Send e-mail Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    Spyware Warrior Forum Index -> Security Notices & News All times are GMT - 8 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group