COMMAND

    javascript

SYSTEMS AFFECTED

    most of us....

PROBLEM

    Michael  Wheaton  posted  following.   Everyone  wants  to  freeze
    someone's computer when they read  an e-mail, right?  Hotmail  has
    put their  security way  up but  still Yahoo!Mail  and hundreds of
    others can be used to freeze  a person's computer easily!  As  you
    know, JavaScript can  be used to  execute functions on  a person's
    computer without their permission to do so.  A while ago you  used
    to be able to execute JavaScript on HotMail but they've completely
    removed that possibility for now.  JavaScript has been blocked out
    of many other popular e-mail programs but Michael have  discovered
    a method to get past this.

    By  enclosing  the  JavaScript  inside  an  IMG  tag you can still
    execute it!  Also, change "javascript" to "javasCript" and it will
    get past more e-mail programs!  Here is what Michael used:

        <IMG SRC="javasCript:for(var i = 0; i < 500; i++) window.open('http:://www.eat.com');">

    Please note  that for  your protection  a bunch  of the letter "x"
    has been inserted.  Simply remove the "x"s and it should work just
    fine.  It  will immediately begin  to execute 500  pop up windows,
    enough to crash web browsers and even freeze the computer!  It has
    been tested on YahooMail and a couple of others and worked great!

    Send it out to anyone you want and it should freeze their computer
    wonderfully.   For  extra  good  results  make  the image width be
    "0000000000000000000000000000000000000001" or something like that.
    The large size will mess up the browser even more!  It can also be
    adapted to a web page!

SOLUTION

    Disable javascript....!  There is  nothing new about this, and  in
    general freezing their computer isn't too entertaining.  The  more
    useful (and annoying  to the user)  stuff is when  you steal their
    web based email account.

    You can still execute arbitrary javascript on a majority of user's
    browsers on a vast majority of web based email services, including
    hotmail, yahoo mail, etc.  All  it takes is being a little  crafty
    with  the  HTML,  perhaps  including  exploiting  browser specific
    issues like  IE's bug  where it  will treat  "java\000script" like
    "javascript", where \000 is a null character.

    Until these companies  get over the  misconception that they  have
    any hope of filtering only  "bad" HTML out of messages,  this will
    continue to  be an  issue.   Hotmail has  been vulnerable  to such
    attacks 100% of the time since it was started, people just haven't
    found it interesting enough to  keep finding the next way  to work
    around their filters or they  haven't kept posting them.   Combine
    this with poor use of  cookies from a security standpoint  and the
    requirement  of  many  web  based  email  services  that  you have
    javascript  enabled  just  to  use  the  service...  and you leave
    yourself wide open.

    The task that lies in front of providers of web based email is  to
    add a safe mode, that may  or may not be enabled by  default, that
    does not allow HTML  to be interpreted in  messages at all.   Then
    they can  also have  a mode  where a  specific subset  of HTML  is
    permitted, and everything else is  denied.  Then they have  a last
    resort mode that  lets you read  a message with  everything except
    what they think  is "unsafe" markup  passed through, that  you can
    use for a  particular message if  you have cause  to.  As  long as
    hotmail  continues  along  its  current  path  of "we think we can
    filter out the bad stuff", they will always be vulnerable. Period.