Hotmail hole exposes users

New security hole allows hostile JavaScript to steal a user's password.

A new Hotmail security hole, discovered by Bulgarian hacker Georgi Guninski, allows hostile JavaScript programs to be injected into users' systems via an e-mail message. According to Guninski, a malicious hacker can use the hole to display a bogus login screen which "steals" the user's password. It is also possible, says Guninski, to read the user's mail or send spam or harrassing messages under the user's name. These attacks can be performed via any brower that supports JavaScript, including both Internet Explorer and Netscape Navigator.

To protect users from hostile scripts, Hotmail is supposed to filter out JavaScript programs -- as well as other potentially hostile codes -- embedded in e-mail messages. However, as Guninski discovered, the filtering is not complete. It ignores "meta-characters," HTML's mechanism for writing characters as numeric or mnemonic codes. This loophole could open the door to many types of security breaches which Hotmail has previously been claimed to block.

If you're a Hotmail user, you can protect yourself from hostile Javascript by disabling JavaScript in your browser. Here is how to do this in several popular browsers.

Netscape Navigator 3.x
Select "Options | Network Preferences..." and select the tab marked "Languages." Uncheck the "Enable JavaScript" box.

Netscape Navigator 4.x
Select "Edit | Preferences..." and select "Advanced" on the left side of the dialog box which appears. Uncheck the "Enable JavaScript" box to disable JavaScript.

Internet Explorer 3.x
Select "View | Options..." and select the "Security" tab on the property sheet that appears. Uncheck "Run ActiveX scripts."

Internet Explorer 4.x and later
Select "View | Internet Options..." and select the "Security" tab on the property sheet that appears. Customize the security settings for the "Internet" zone and select "Disable" under the heading marked "Active scripting."