Yahoo, Hotmail vulnerable to security flaw

A security company is warning users of Yahoo Inc.'s Web e-mail service and Microsoft Corp.'s Hotmail service of a serious security flaw that could allow remote attackers to run malicious computer scripts on computers using Microsoft's Internet Explorer Web browser to check Web e-mail accounts.

The vulnerability was discovered in an Internet Explorer (IE) feature used to process extensions to HTML (Hypertext Markup Language) called HTML + TIME. The security hole could allow attackers to steal login and password information, or browse the contents of an e-mail account, according to an advisory released by GreyMagic Software.

The company tested the vulnerability against Yahoo and Hotmail, but it could affect other e-mail services, GreyMagic said.

Microsoft was informed of the problem on March 11 and has already patched its Hotmail service against the hole. However, Yahoo users and other users of Web based e-mail services could be vulnerable to attack using the security hole, GreyMagic said.

Yahoo could not be reached for comment.

HTML + TIME, or Timed Interactive Multimedia Extensions for HTML, is a technology standard that adds support for media playback timing and SMIL (Synchronized Multimedia Integration Language) files to HTML. HTML + TIME is intended to make it easier to deliver multimedia content to Web browsers over the Internet, according to the World Wide Web Consortium.

Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. However, the filtering, combined with support for HTML + TIME, makes it possible to use to inject malicious script into incoming e-mail messages, GreyMagic said.

The script would be run when the Web e-mail message is opened and could be used to exploit the machine on which the Web mail was being read. However, the IE browser had to be used to check the Web mail account for the exploits to work, the company said.

GreyMagic says the HTML + TIME vulnerability creates a new avenue for embedding malicious script in e-mail messages and may not be detected by other Web e-mail providers.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?