Flaw means Hotmail and Yahoo Mail users vulnerable

A flaw in the way web-based email services Hotmail and Yahoo Mail filter messages left users open to attack via specially crafted online scripts, a security specialist said on Tuesday.

The glitch created the possibility of attacks that could have let web miscreants steal passwords, access the content of email opened by victims or even spread worms through web email, said Lee Dagon, director of research and development for Israeli computer security firm GreyMagic Software. GreyMagic discovered the flaw on 6 March and released an advisory about it Tuesday.

"Hotmail and Yahoo do everything they can to prevent script from running in an email message," Dagon said, readily filtering the Hypertext Markup Language content that arrives in messages. "We found a way to bypass their filters in order to make script run."

Technically, the vulnerability is part of a class of problems known as cross-site scripting flaws. Such flaws use a problem in a site's security to pass potentially harmful commands to another site or a user's computer. The Open Web Applications Security Project has labelled such flaws the number one issue ecommerce sites face. The current issue uses a feature of Internet Explorer and thus only affects users of Microsoft's browser.

Microsoft, which had been working on the problem with GreyMagic since 11 March, has already fixed the flaw by filtering the potentially malicious script at Hotmail's servers. "Hotmail customers are fully protected from the vulnerability," a Microsoft representative said.

Yahoo said on Tuesday afternoon that it expects to have the flaw fixed "shortly".

Yahoo never got the original alert from the security firm, due to an internal glitch, a company representative said Tuesday, after being told of the advisory by silicon.com sister site CNET News.com.

"Due to an isolated issue, we became aware of this specific report after it was first reported to us and have taken steps to prevent [such oversights] from occurring in the future," a representative said in an email.

The vulnerability takes advantage of the seldom-used HTML+TIME module in Internet Explorer, which allows the browser to add timing and synchronization to web pages. The flaw itself is not in Internet Explorer, however, or Outlook. It requires a web service to actually have some interesting content to attack, GreyMagic's Dagon said.

"A script in Outlook would have to rely on a second vulnerability to do any real damage," he said. "However, when a script is running in web-based services, it has immediate access to the entire mailbox."

Microsoft's Hotmail had issues two weeks ago, due to unknown problems with the software giant's Internet identity service, Passport. In December, Yahoo had to patch a flaw in its instant-messenger client that could have left users open to attack.

The advisory that describes the issue can be found on GreyMagic's website.

Robert lemos writes for CNET News.com. Jim Hu contributed to this report.