Web-based Mail Threat Looms

A security company on Tuesday warned that a new threat exists for Web-based e-mail services such as Yahoo and Hotmail. Microsoft has patched its service, the researchers said.

A security research and development company on Tuesday reported that a vulnerability in Web-based e-mail services could lead to the theft of password information as well as open a users machine to attack by worms or other threats.

According to an alert issued Tuesday by Israel-based developer and security consultancy GreyMagic Software, a flaw in e-mail filtering software for both Yahoo Inc. and Microsoft Corp.s Hotmail Web-based e-mail services could result in the theft of login and password information; the disclosure of message contents in the users mailbox and contact file; and the exploitation of the users machine by an outside agent.

GreyMagic said in its report, dubbed "Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo," that the intrusion mechanism was not limited to Hotmail and Yahoo and could apply to "other Web-based services that attempt to filter HTML input."

However, the company said Microsoft was alerted to the flaw and had fixed Hotmail earlier in the month. It had not been contacted by Yahoo about its service.

The bulletin said the vulnerability leverages the Synchronized Multimedia Integration Language (SMIL)-based HTML+TIME technology found in Internet Explorer, which improves the timing and media synchronization to Web pages. When users open the message using the Internet Explorer browser, the vulnerability is activated.

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page: /zimages/3/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif