Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail

To: "Bugtraq (E-mail)" <bugtraq@xxxxxxxxxxxxxxxxx>, "Windows NTBugtraq Mailing List (E-mail)" <NTBUGTRAQ@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail
From: "Menashe Eliezer" <menashe@xxxxxxxxxx>
Date: Wed, 15 Oct 2003 16:26:49 +0200
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcOTKF8kIHHdx514T9a/n/rCXqZXYw==
Thread-topic: Finjan Software Discovers a New Critical Vulnerability In Microsoft Hotmail

Microsoft Hotmail Vulnerability

Release Date:
October 15, 2003

Severity:
Critical (Potential Hotmail worm)

Systems Affected:
Internet Explorer and any software application used for reading Hotmail 
messages.

Status:
Microsoft has already patched the Hotmail system.

Description:
Finjan Software discovered a new critical cross site scripting vulnerability in 
Microsoft's Web-based e-mail service, Hotmail.  This vulnerability had the 
potential to allow hackers to develop an attack that could have caused 
significant computer damage during regular e-mail use.  The new vulnerability 
was reported to Microsoft and fixed within 24hrs.
This vulnerability resulted from the failure of Hotmail's active content filter 
to adequately block Active X controls and affected all system platforms that 
read Hotmail e-mail messages.  An exploit could have launched automatically 
once a user opened an e-mail message.  The vulnerability could have also 
potentially allowed a worm to read the address book of a Hotmail account, 
replicate and send itself to everyone in the address book, and have this 
process repeat at an exponential rate. This potential very dangerous Hotmail 
worm could have a large impact to the Hotmail user community.  Due to 
preliminary detection and reporting to Microsoft, this scenario was prevented.
"This vulnerability was discovered and reported to us by Finjan Software", said 
Stephen Toulouse, security program manager, Microsoft Corporation.  "We worked 
with Finjan Software to fix the issue within 24 hours and helped protect 
Hotmail users." 

"Finjan asked us to replicate the vulnerability to validate their findings," 
said Drew Copley, research engineer at eEye Digital Security. "Their discovery 
of the vulnerability in Hotmail is accurate and had the potential to allow 
hackers to steal contacts, write e-mails in the name of the Hotmail user, and 
run active scripting.  This security issue was extremely dangerous because 
these are the components required to create an automated, mail-borne worm."
 

Technical details:
The potential worm could have done anything that the user could do. It was a 
potentially automatic attack. Users had to simply read the infected email 
message.
This was a cross-site scripting vulnerability of the Hotmail server.
The purpose of Hotmail's active content filter is to block the injection of any 
active content into Hotmail messages. However, the basic failure that allowed 
this vulnerability is that there was no blocking of dangerous tags if they are 
prefixed with more than two dashes, e.g. ---<LINK,  ---<object,  ---<iframe.
For example: <iframe src=http://www.finjan.com> 
The LINK tag can be used to call a CSS file that includes JavaScript code.

The injected JavaScript code is responsible for:
-Getting Passport/Wallet cookies.
-Automatic launching of malicious code.
-Identity theft using a spoofed re-login window (suggested by 
http-equiv@xxxxxxxxxxx).
-Read and Disclose User inbox & contacts.
-Sending an e - mail message.

The JavaScript code has been used for creating demos, but Finjan Software won't 
reveal this source code.
The ActiveX control could have been used for a destructive payload of the 
propagating worm. It also allows propagation to non-Hotmail users.
The basic attack does not require an ActiveX control. The ActiveX control is 
the payload that can be used to extend the attack to non-Hotmail users, or to 
perform any malicious activity, including formatting of the hard disk
Upon using the ActiveX control, end user may get a security warning. It depends 
on the security setting of the browser. An example: 
http://www.finjan.com/mcrc/demos/activex.cfm (Click on the 'test me' button 
after reading the disclaimer)


Protection:
This specific vulnerability has been eliminated by Microsoft based on Finjan 
Software notification. Finjan's content security products: SurfinGate for Web, 
SurfinGate for E-mail, SurfinShield Corporate and SurfinGuard Pro, provided 
proactive defense against this Hotmail vulnerability prior to its detection and 
correction.  Finjan's patented behavior inspection engine will protect computer 
users from similar future vulnerabilities and comparable potential exploits.


Credit: Dror Shalev and Menashe Eliezer.
Reviewers: Drew Copley (thePull) , Liu Die Yu, Jelmer and http-equiv.

Prev by Date: RE: What software breaks because of this DNS feature?
Next by Date: LinkSys EtherFast Router Denial of Service Attack
Previous by thread: RE: What software breaks because of this DNS feature?
Next by thread: LinkSys EtherFast Router Denial of Service Attack
Index(es):
- Date
- Thread