IE Flaw Exposes Weakness In Yahoo! Filtering

The Register ^ | John Leyden

[LaserLock]

Flaws in the filtering technology used by Web-based email services make it possible for hackers to smuggle viruses past defences. Israeli security outfit GreyMagic Software warned today that this "severe security" vulnerability could allow attackers to run code of their choice, "simply by sending an email to an unsuspecting Hotmail or Yahoo! user". When the victim attempts to read this email, the code executes to potentially dire consequence (e.g. theft of the user's login and password, seizure of machines etc.). The problem stems from a Cross-Site Scripting vulnerability involving IE. To blame is a new way to embed script involving an IE technology called HTML+TIME (based on SMIL), which is meant to add timing and media synchronization support to HTML pages. The flaw weakens the ability of Web-based email services to screen this type of HTML content for malicious code. But users with up-to-date anti-virus scanners and personal firewalls are likely to be protected, even if hackers punch through that layer of defence. GreyMagic has alerted Microsoft to this issue and worked with the company to fix the vulnerability in Hotmail. Hotmail is no longer vulnerable. Unfortunately, all attempts by GreyMagic to contact Yahoo's security department failed; so Yahoo! webmail is still vulnerable.

[Izzy Dunne]

to smuggle viruses past defences

I read an article recently that said one guy sent a message to 30 co-workers that read "Do not open this attachment - it contains a virus and it will damage your computer".
The attachment was a program simply to report that "the attachment was opened by IP #xxx.xxx", so the sender knew who opened it.
He got 18 responses.

[Tax Government]

Unfortunately, all attempts by GreyMagic to contact Yahoo's security department failed; so Yahoo! webmail is still vulnerable.

So, GreyMagic decided to publish the vulnerability, so that hackers everywhere have a chance to punish Yahoo by writing a virus in the next week or so.

GreyMagic's action is very irresponsible.

[Azzurri]

Flaws in the filtering technology used by Web-based email services make it possible for hackers to smuggle viruses past defences.

This is a job for Richard Clarke. If he can't stop it no one can!

[TechJunkYard]

So, GreyMagic decided to publish the vulnerability, so that hackers everywhere have a chance to punish Yahoo by writing a virus in the next week or so.
GreyMagic's action is very irresponsible.

• Discovered on March 6th.
• Started working with Microsoft on March 11th.
• Presumedly tried to contact Yahoo! about the same time.
• Announced on March 23rd.

Source.

So what would you do? Would you still be sitting on it, hoping and praying that Yahoo! would finally look at their e-mail? Would you ever announce?

GreyMagic is a software security firm just doing its job. Yahoo security should be doing its job, but is apparently asleep at the switch.

[Tax Government]

I guarantee you that I, with just a telephone and email acct, and no "in's" at Yahoo and no particular strings to pull, can get somebody's attention in 24 hours, high enough in that org to take action on a threat such as this.

[CrucifiedTruth]

You don't get it do you. He had to go public without describing the exact nature of the threat. It's not only Yahoo. As it stands now, Microsoft gets competitive advantage over Yahoo because of ... Microsoft's poor code. This guy is a disgrace. There is no proof that "presumably" he contacted Yahoo. I'd say that "presumably" MS contacted him to announce the bug they just fixed in order to damage Yahoo. What proof is there for either?

[Tax Government]

To your question, what would I do... I would NOT publish the details of the vulnerability until it had been corrected, since that guarantees it will be aggressively exploited. Instead, I would do this:

1) try to contact Yahoo through its switchboard;

2) within 24 hours, notify some organizations interested in computer security, seeking their help to find the balance between warning the public, without disclosing the exploit in great detail;

3) within 24 hours, notify the FBI and/or Dept. of Homeland Security. They certainly have an interest, and could get the attention of a person or group at Yahoo, when a private individiual or company might not.

What I would NOT do is describe the vulnerability in detail in public, until the people who had a responsibility and ability to fix it had been effectively notified.

The conclusion I am drawn to is that this organization used the vulnerability as a way to get publicity for itself, and in so doing, put the public at increased risk. And, possibly, people at Microsoft saw in publishing Yahoo's failure to fix it, a way to one-up Yahoo.

[Tax Government]

People interested in Windows security might not know about the Baseline Security Analyzer. I just found out; excuse me if you already do. Doubtless many of you already knew.

Go to http://www.microsoft.com ; search for Baseline Security Analyzer.

[Fiddlstix]

Bump

[B4Ranch]

"The attachment was a program simply to report that "the attachment was opened by IP #xxx.xxx", so the sender knew who opened it.
He got 18 responses."

And nobody recognized this as unsatisfied employees wanting a few days off while the network computer system was being rebuilt?

[FierceDraka]

No surprise here. IE and Outlook have been banned from my PC at home for security reasons. Now I'm using the Mozilla browser and mail client at home, but still have to use Micro$uck's rickety bloatware at the office.

[ninenot]

Maybe Yahoo's security is offshored and they are asleep during our day-shift.

[msdrby]

ping

[Professional Engineer]

...co-workers that read "Do not open this attachment - it contains a virus and it will damage your computer".

I've seen this happen. Several years ago, a virus hit my office. I told all my coworkers to not open so and so message. One did. Twit

[Centurion2000]

GreyMagic's action is very irresponsible.

So then what do you call CERT advisories ? Criminal negligence ?

I think it was good of them to warn the public that their platform is weakened.

[Tax Government]

GreyMagic should have tried harder than they did to get the Yahoo problem fixed. Their decision to "notify the world, because they couldn't get through to Yahoo" is self-serving and not credible.