Posted 11/05/2000 5:17am by Thomas C. Greene in Washington

Malicious Java script shuts down Hotmail

Micro$oft's engineering bias preferring features over security has turned on them again. The company was forced to take its Hotmail service off line for about four hours Wednesday to bung a security hole enabling a malicious spammer to intercept Hotmail authentication cookies and take over users' accounts.

The exploit uses an HTML attachment containing a malicious Java script. When the victim views the attached file, the script intercepts the cookies and forwards them to a hostile site.

The cookies are used for authentication and give anyone who intercepts them complete access to the victim's account, an intrusion which could also yield access to POP account passwords stored on the Hotmail server.

Hotmail blocks Java script in e-mail messages, but not in attachments.

Hotmail has fixed the hole by redirecting victims who activate the attachment before the Java script has a chance to intercept the cookies.

Further details on the exploit and an example of the attachment are available from Peacefire. .

http://www.theregister.co.uk/

-- Carl Jenkins (Somewherepress@aol.com), May 11, 2000