Yahoo, Hotmail vulnerable to security flaw

A security company is warning users of Yahoo Inc.'s Web e-mail service and Microsoft Corp.'s Hotmail service of a serious security flaw that could allow remote attackers to run malicious computer scripts on computers using Microsoft's Internet Explorer Web browser to check Web e-mail accounts.

The vulnerability was discovered in an Internet Explorer (IE) feature used to process extensions to HTML (Hypertext Markup Language) called HTML + TIME. The security hole could allow attackers to steal login and password information, or browse the contents of an e-mail account, according to an advisory released by GreyMagic Software.

The company tested the vulnerability against Yahoo and Hotmail, but it could affect other e-mail services, GreyMagic said.

Microsoft was informed of the problem on March 11 and has already patched its Hotmail service against the hole. However, Yahoo users and other users of Web based e-mail services could be vulnerable to attack using the security hole, GreyMagic said.

Yahoo could not be reached for comment.

HTML + TIME, or Timed Interactive Multimedia Extensions for HTML, is a technology standard that adds support for media playback timing and SMIL (Synchronized Multimedia Integration Language) files to HTML. HTML + TIME is intended to make it easier to deliver multimedia content to Web browsers over the Internet, according to the World Wide Web Consortium.

Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. However, the filtering, combined with support for HTML + TIME, makes it possible to use to inject malicious script into incoming e-mail messages, GreyMagic said.

The script would be run when the Web e-mail message is opened and could be used to exploit the machine on which the Web mail was being read. However, the IE browser had to be used to check the Web mail account for the exploits to work, the company said.

GreyMagic says the HTML + TIME vulnerability creates a new avenue for embedding malicious script in e-mail messages and may not be detected by other Web e-mail providers.

Join the newsletter!

Or
Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?