Internet content security company Finjan Software today announced that its Mobile Code Research Center (MCRC), which focuses on detecting the next potential attack by hackers, had discovered a new critical cross site scripting vulnerability in Microsoft's Web-based e-mail service, Hotmail.
This vulnerability had the potential to allow hackers to develop an attack that could have caused significant computer damage during regular e-mail use, Finjan stated, adding that the new vulnerability was reported to Microsoft and fixed within 24 hours.
This vulnerability resulted from the failure of Hotmail's active content filter to adequately block Active X controls and affected all system platforms that read Hotmail e-mail messages, said Finjan.
Microsoft security program manager Stephen Toulouse said, "This vulnerability was discovered and reported to us by Finjan Software. We worked with Finjan Software to fix the issue within 24 hours and helped protect Hotmail users."
Active X controls are downloadable programs that run with the same rights and privileges as the user, allowing access to files and personal information stored on a local hard drive or shared network. An exploit could have launched automatically once a user opened an e-mail message. The vulnerability could have also potentially allowed a worm to read the address book of a Hotmail account, replicate and send itself to everyone in the address book, and have this process repeat at an exponential rate, the company said.
"Finjan asked us to replicate the vulnerability to validate their findings," said Drew Copley, research engineer at eEye Digital Security. "Their discovery of the vulnerability in Hotmail is accurate and had the potential to allow hackers to steal contacts, write e-mails in the name of the Hotmail user, and run active scripting. This security issue was extremely dangerous because these are the components required to create an automated, mail-borne worm."
Finjan Software founder and CEO Shlomo Touboul said he was very proud of the company’s MCRC labs. "They completely executed on their mission, to be one step ahead of hackers and detect dangerous vulnerabilities before they can be used for malicious intent. This newly discovered vulnerability in Hotmail could have led to a very dangerous Hotmail worm with a large impact to the Hotmail user community. Due to preliminary detection and reporting to Microsoft, this scenario was prevented."
Finjan said its content security products, SurfinGate for Web, SurfinGate for E-mail, SurfinShield Corporate and SurfinGuard Pro, provided proactive defense against this Hotmail vulnerability prior to its detection and correction.
Finjan Software is based in San Jose, California, and has research and development offices in Netanya, Israel.
Published by Globes [online] - www.globes.co.il - on 15 October, 2003