COMMAND

    Hotmail

SYSTEMS AFFECTED

    Hotmail

PROBLEM

    Georgi  Guninski  found  yet  another  Hotmail  security  hole   -
    injecting JavaScript  in IE  using <IMG  DYNRC="javascript:....">.
    Hotmail allows executing JavaScript  code in email messages  using
    <IMG  DYNSRC="javascript:....">,  which   may  compromise   user's
    Hotmail mailbox when viewed with Internet Explorer.

    There is  a security  flaw in  Hotmail which  allows injecting and
    executing JavaScript code in an email message using the javascript
    protocol.   This  exploit  works  on  Internet  Explorer.  Hotmail
    filters the "javascript:" protocol for security reasons.  But  the
    following JavaScript is executed:

        <IMG DYNSRC="javascript:alert('Javascript is executed')">

    if  the  user  has  enabled  automatically loading of images (most
    users have).   Executing JavaScript  when the  user opens  Hotmail
    email message allows  for example displaying  a fake login  screen
    where the user enters his password which is then stolen.  No  need
    to make  a scary  demonstration, but  it is  also possible to read
    user's  messages,  to  send  messages  from  user's name and doing
    other  mischief.   It  is  also  possible  to  get the cookie from
    Hotmail, which  is dangerous.   Hotmail deliberately  escapes  all
    JavaScript (it can escape) to prevent such attacks, but  obviously
    there are holes.

    The code that must be included in HTML email message is:

        <IMG DYNSRC="javascript:alert('Javascript is executed')">

SOLUTION

    Workaround: Disable JavaScript.   This is a  good security hint  -
    but no workaround for hotmail  users.  Hotmail needs javascript  -
    without it you only get the following message:

        Sign In  Access Error  JavaScript required.  The browser  that
        you are  using does  not support  JavaScript, or  you may have
        disabled JavaScript.