COMMAND

    javascript

SYSTEMS AFFECTED

    munices

PROBLEM

    David L.  Nicol posted  following.   He was  informed that  a free
    form data mailer he maintains (http://www.tipjar.com/generic.html)
    was being involved in a javascript-based hotmail password stealing
    scheme.   He located  the originating  page (with  the script) and
    sent itto the contact address hotmail puts on their  autoresponder
    documents.

    He will share an URL for the (fully escaped) exploit in a week  or
    two, to give  hotmail time to  patch their systems.   So far  it's
    known  that  it   is  a  javascript   which  takes  advantage   of
    cookie-based  security  hooks  to  contact  hotmail's database and
    change your password.

SOLUTION

    The  page  with  the  script  on  it  contains a warning that your
    password has just been trapped;  so unless there are other  copies
    of this script running around all the victims know it already.