IE flaw exposes weakness in filtering/Why Hotmail users get so much spam

[Guest guest]

- " Misty " <misty3 To:

" Armageddon or New Age " <armageddon-or-newage Friday,

March 26, 2004 3:46 AM IE flaw exposes weakness in

filtering/Why Hotmail users get so much spam

 

IE flaw exposes weakness in filtering By John Leyden Posted:

23/03/2004 at 11:52 GMT http://www.theregister.co.uk/content/55/36462.html

 

Flaws in the filtering technology used by Web-based email services make it

possible for hackers to smuggle viruses past defences.

 

Israeli security outfit GreyMagic Software warned today that this " severe

security " vulnerability could allow attackers to run code of their choice,

" simply by sending an email to an unsuspecting Hotmail or user " . When

the victim attempts to read this email, the code executes to potentially

dire consequence (e. g. theft of the user's login and password, seizure of

machines etc.).

 

The problem stems from a Cross-Site Scripting vulnerability involving IE. To

blame is a new way to embed script involving an IE technology called

HTML+TIME (based on SMIL), which is meant to add timing and media

synchronization support to HTML pages.

 

The flaw weakens the ability of Web-based email services to screen this type

of HTML content for malicious code. But users with up-to-date anti-virus

scanners and personal firewalls are likely to be protected, even if hackers

punch through that layer of defence.

 

GreyMagic has alerted Microsoft to this issue and worked with the company to

fix the vulnerability in Hotmail. Hotmail is no longer vulnerable.

 

Unfortunately, all attempts by GreyMagic to contact 's security

department failed; so webmail is still vulnerable.

 

GreyMagic warns that other web-based email systems may also be vulnerable.

Users of these services may want to use a browser other than IE as a

workaround, at least until a fix is in place. ®

 

Related stories Why Hotmail could spread viruses even faster than Outlook

Hotmail, guard against virus-spreading flaw

 

Why Hotmail users get so much spam By: John Leyden

http://www.theregister.co.uk/content/archive/17379.html

 

The Register Mobile: Find out what the fuss is about. Take the two week

trial today.

 

Hotmail has come under criticism for placing its rs' email

addresses on a public Internet directory site when they sign up for the

service, making them easy prey for spammers.

 

Customers signing onto Microsoft's free Web based email service are

automatically added to Infospace's Internet White Pages directory by

default, something that has got under the skin of privacy activists.

 

Uunless users opt-out by checking a box on Hotmail's registration form,

their addresses can rapidly enter spammers' databases, as Infospace's

privacy protection methods can be bypassed using a number of methods.

 

Usually, Infospace does not directly display a person's email address -

listings link only to forms which can be used to send emails to recipients.

However, according to an Associated Press report, these email addresses can

easily be obtained by running a search from an easy-to-find " backdoor " page,

among other techniques.

 

Microsoft's defence from criticism on the issue is also far from convincing.

 

A feature called " In-box Protector " allows Hotmail users to filter out most,

but not all of their spam messages, but this really doesn't go far enough in

helping users to deal with junk email.

 

For one thing Microsoft sees Hotmail users inclusion on the Infospace

directory as a " consumer benefit " - an attitude we feel it would surely

change if it had to pay for the cost of downloading spam itself.

 

The software giant also says it's complying with its privacy policy because

users can choose whether to be on the Infospace directory or not, but this

misses the point. It's easy to overlook the relevant box and users can

easily end up with a listing they really don't want.

 

Everyone would be a lot happier if Microsoft dropped the default

registration to Infospace, and only a cynic would suggest that Microsoft's

commercial relationship with a directory firm, judged more important than

the needs of its Hotmail users, is preventing it doing so. Surely not. ®

 

Related stories Hotmail punts user email addresses to advertisers Hotmail

hoax email: spam or we kick you off! Official: Spam costs E10 billion Spam

filters don't work shock new survey MS Hotmail caves to Harris over spam

blocking New MSN client swipes your email, spams your friends Doctors forced

to use Hotmail for confidential medical records Microsoft confirms Web site

blackout

 

External links Infospace. com