Finjan Software discovered a new critical cross site
scripting vulnerability in Microsoft's Web-based e-mail
service, Hotmail. This vulnerability had the potential
to allow hackers to develop an attack that could have caused
significant computer damage during regular e-mail use. The
new vulnerability was reported to Microsoft and fixed within
24hrs.
This vulnerability resulted from the failure of Hotmail's
active content filter to adequately block Active X controls
and affected all system platforms that read Hotmail e-mail
messages. An exploit could have launched automatically
once a user opened an e-mail message. The vulnerability
could have also potentially allowed a worm to read the address
book of a Hotmail account, replicate and send itself to
everyone in the address book, and have this process repeat
at an exponential rate. This potential very dangerous Hotmail
worm could have a large impact to the Hotmail user community.
Due to preliminary detection and reporting to Microsoft,
this scenario was prevented.
TECHNICAL DETAILS
This was a cross-site scripting vulnerability of the Hotmail
server.
The purpose of Hotmail's active content filter is to block
the injection of any active content into Hotmail messages.
However, the basic failure that allowed this vulnerability
is that there was no blocking of dangerous tags if they
are prefixed with more than two dashes, e.g. ---<LINK,
---<object, ---<iframe.
For example: <iframe src=http://www.finjan.com>
The LINK tag can be used to call a CSS file that includes
JavaScript code.
The injected JavaScript code is responsible for:
-Getting Passport cookies.
-Automatic launching of malicious code.
-Identity theft using a spoofed re-login window (suggested
by http-equiv@malware.com).
-Read and Disclose User inbox & contacts.
-Sending an e - mail message.
The JavaScript code has been used for creating demos, but
Finjan Software won't reveal this source code.
The ActiveX control could have been used for a destructive
payload of the propagating worm. It also allows propagation
to non-Hotmail users.
PROTECTION
This specific vulnerability has been eliminated by Microsoft
based on Finjan Software notification. Finjan's content
security products: SurfinGate for Web, SurfinGate for E-mail,
SurfinShield Corporate and SurfinGuard Pro, provided proactive
defense against this Hotmail vulnerability prior to its
detection and correction. Finjan's patented behavior inspection
engine will protect computer users from similar future vulnerabilities
and comparable potential exploits.
FINJAN PROACTIVE SOLUTIONS
Finjan Software redefines enterprise level content security
and management. Some of the world's leading companies have
chosen Finjan's Vital Security Platform for its unmatched
ability to protect companies against new virus outbreaks
without the need to rapidly deploy time-consuming signature
updates or implement restrictive policy "lock downs."
Finjan's proactive security solutions at the gateway, server
or client, protect against malicious threats that come through
the Web and e-mail and provide the optimal balance between
security and productivity.
Prevention is the best cure!
Finjan Software products are available at: http://www.virusdefence.com.au/solutions/finjan.asp
Back
