A security research and development company on Tuesday reported that a vulnerability in Web-based e-mail services could lead to the theft of password information as well as open a users machine to attack by worms or other threats.
According to an alert issued Tuesday by Israel-based developer and security consultancy GreyMagic Software, a flaw in e-mail filtering software for both Yahoo Inc. and Microsoft Corp.s Hotmail Web-based e-mail services could result in the theft of login and password information; the disclosure of message contents in the users mailbox and contact file; and the exploitation of the users machine by an outside agent.
GreyMagic said in its report, dubbed “Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo,” that the intrusion mechanism was not limited to Hotmail and Yahoo and could apply to “other Web-based services that attempt to filter HTML input.”
However, the company said Microsoft was alerted to the flaw and had fixed Hotmail earlier in the month. It had not been contacted by Yahoo about its service.
The bulletin said the vulnerability leverages the Synchronized Multimedia Integration Language (SMIL)-based HTML+TIME technology found in Internet Explorer, which improves the timing and media synchronization to Web pages. When users open the message using the Internet Explorer browser, the vulnerability is activated.