Hotmail, Yahoo Users at Risk of PC Takeover

Internet News ^

[Dbdaily]

March 23, 2004 Hotmail, Yahoo Users at Risk of PC Takeover By Ryan Naraine

A potentially serious security flaw found in Web-based e-mail services offered by Microsoft (Quote, Chart) and Yahoo (Quote, Chart) could put millions of PCs at risk of takeover, an Internet security research firm warned Tuesday.

Israel-based security consultants GreyMagic issued the advisory with a chilling warning that attackers could inject malicious code by simply sending an e-mail to an unsuspecting Hotmail or Yahoo user.

The vulnerability only affects Hotmail and Yahoo running on Microsoft's Internet Explorer (IE) browser.

"When the victim attempts to read this email, the code executes and may result in severe consequences," the company said. Successful exploit could lead to theft of a user's login and password, disclosure of the content of any e-mail in the mailbox and disclosure of all contacts within the address book.

Additionally, GreyMagic said the attacker could manipulate the system to automatically send e-mails from the mailbox and to exploit vulnerabilities in IE to access the user's file system and eventually take over his or her machine.

The company said Microsoft reacted to its warning with a fix for the flaw. However, GreyMagic said all attempts to contact Yahoo's security department failed, meaning that Yahoo's users are still vulnerable. Efforts by internetnews.com to contact Yahoo at press time were unsuccessful.

GreyMagic said that many other Web-based e-mail services may be vulnerable to the flaw, since it is a completely new way to embed script.

The company released a proof-of-concept demonstration with its advisory, noting that the vulnerability makes use of an IE technology called HTML+TIME (based on SMIL), which is meant to add timing and media synchronization support to HTML pages.

One of the features of HTML+TIME is the ability to manipulate any attribute on an element via special control elements. For example, GreyMagic explained, the element exposes the attributes "attributeName" and "to", which make it possible to inject ANY HTML content to the document when "attributeName" is set to "innerHTML", and "to" is set to any HTML the attacker would like to execute, including script.

[ECM]

And some people wonder why I use Opera...

[js1138]

Hotmail is virus filtered by Mcafee before it gets to you. The filter will be always be as up-to-date as McAfee anti-virus.

[js1138]

MSN email is also filtered, although they don't advertise it. I have received exactly zero viruses through MSN in the last year, but the virus filter log at work shows several per day. I have received emails through MSN along with a notice that an attachment has been deleted.

[MrB]

And some people wonder why I use Opera...

That fat woman on TV?

[pax_et_bonum]

Interesting.

Yesterday I had an email in my Yahoo account which was suspicious. The sender claimed to be from Yahoo and it said that others had complained to Yahoo about spam being sent to them from my account. All of the options it gave me involved opening the attachment. One of the options was "add to address book."

[hsmomx3]

Yahoo scans using Norton AV and tells you if something was detected which most of the time they remove. I never open emails from people I do not know. I just trash them.

[BushCountry]

OSLO, Norway - Web surfers may be able to talk to their computers one day using a browser announced Tuesday by Opera Software.

PC of the Future
Get a preview of tomorrow's PC and desktop displays. Plus, where the PC won't be anytime soon.

The new browser incorporates IBM's ViaVoice technology, enabling the computer to ask what the user wants and "listen" to the request.

"Hi. I am your browser. What can I do for you?" asked a laptop with the demonstration versions of the browser.

The message can be personalized, such as greeting users by name. The computer learns to recognize users' voices, accents and inflections by having them read a list of words into a microphone.

Opera declined to give a launch date.

"Voice is the most natural and effective way we communicate," said Christen Krogh, head of Opera's software development. "In the years to come, it will greatly facilitate how we interact with technology.

[Constitution Day]

[Xenalyte]

Definitely a scam - I got the same one on Sunday afternoon. It sounds almost official, doesn't it? Some grammatical error gave it away, though.

[Freedom2specul8]

Unfortunately, my version of opera (v6.03)is not accepted by hotmail. In other words, hotmail won't let me access my email using opera. Nice eh? Good thing I have yahoo..it'll take any browser so far.

[Freedom2specul8]

I've gotten to the point where I don't open attachments from people I do know unless we plan it in advance. I've gotten a virus from a friend. :-p

[machman]

The only way to surf....

[general_re]

Yahoo scans attachments with NAV. Just for the heck of it, I just checked my Yahoo account, and found three identical mails, all of them with infected attachments - W32.Netsky.D@mm, to be precise. Anyway, Yahoo won't let you d/l dirty attachments, so I pretty much have to take their word for it.

[pax_et_bonum]

Yes, the grammatical errors were red flags. The sender must be a liberal.

:-)

Also, even though I'm not the most computer literate person around, I thought it was suspicious 1) that there was a need for me to open an attachment, considering the supposed "problem" and 2) that the Yahoo complaint department would want to be added to my address book.

[js1138]

I find that the amount of spam I'm receiving in hotmail and MSN has dropped 90% in the last few months. I used to set aside a half hour each week to forward spams to the abuse@ people. I suspect they've learned some good ways to detect spoofed return addresses and relayed messages.

Centralized filtering and lawsuits are the only way this can be managed.

[RayChuang88]

Actually, both Yahoo! Mail and the email from my ISP (EarthLink/MindSpring) use Norton Antivirus on the mail server version so the viruses are caught and stamped out before you can download them. In short, I don't get to see dangerous mail attachments on my local computer. =)

[sully777]

Yawn!

[js1138]

I suppose they don't advertise this much because they don't want to be liable if they let a killer virus through, but I'm sure the transmission of viruses is going down. Just in the last few months. I got hit real hard 18 months ago, and haven't seen any since (Now that I have NAV installed, it doesn't have anything to do.)

[ErnBatavia]

That fat woman on TV?

You're confused....you're thinking of Okra.