Security flaw found in Hotmail
Security company Finjan Software detected a security vulnerability in Microsoft's Hotmail Web-based e-mail service, which Microsoft has since closed, the companies said Wednesday.
The new security flaw, known as a cross-site scripting vulnerability, could be used to create an Internet worm that steals e-mail addresses from Hotmail users' accounts, captures credit card numbers, or installs Trojan horse programs, Finjan said.
The vulnerability exists in the way that Hotmail treats e-mail containing ActiveX controls, which are small, portable pieces of software code that enable programmers to embed sophisticated user interface elements into Web pages for use over a corporate intranet or the Internet. Hotmail content filters do not adequately block e-mail messages containing the controls, Finjan said.
In cross-site scripting attacks, malicious hackers embed attack code in Web pages or HTML e-mail messages. Once executed, cross-site scripting attacks can give attackers access to personal account or financial information or control over a remote machine.
[ Read more ]