http://www.newsbytes.com/news/01/169934.html By Brian McWilliams, Newsbytes REDMOND, WASHINGTON, U.S.A., 10 Sep 2001, 4:19 PM CST A new technique for attacking MSN Hotmail users has been discovered, the latest in a cat-and-mouse game between Microsoft [NASDAQ:MSFT] and Javascript security holes. By adding Javascript to the "From" line of a message sent to a Hotmail user, an attacker can evade the filters Microsoft has put in place to protect the millions who rely on MSN's popular Web-based e-mail service, Newsbytes has confirmed. Microsoft representatives said the company was investigating the new attack and declined further comment. The technique, announced today on a security mailing list, doesn't even require that the victim open the booby-trapped message. According to a posting from Bart van Arnhem, a resident of the Netherlands using the nickname "Oblivion," Hotmail takes the From address on an incoming message and builds it into the HTML code for displaying the Hotmail user's Inbox. As a result, simply viewing the service's Inbox page will cause the hostile Javascript to execute. In an e-mail interview with Newsbytes, van Arnhem said that while Hotmail allows any data to be inserted in the "From" line of incoming messages, the service appears to be filtering Javascript from the "Subject" line. [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 02:21:11 PDT