Worm holes found in Hotmail and Yahoo! Mail

A security hole in Hotmail and Yahoo! Mail could fool users into letting a worm run rife with their address books
Written by ZDNet Staff, Contributor

Hotmail and Yahoo have left open a security hole that could be exploited to create a self-mailing worm that, while not damaging, could clog Internet mail servers, a security expert said this week.

The vulnerability allows an attacker to create an e-mail containing an HTML link that can act as a worm. If clicked by a user of one of the vulnerable Web-based e-mail services, the HTML code will execute, making it possible to manipulate the person's in-box and send e-mail, said Matt Parcens, the independent software specialist who discovered the flaw.

"The webworm has serious short-term danger, but less of a danger in the long term," he said in an e-mail. "For the webworm to be active, a hole must exist on the same server that serves the mail. This limits the number of possible holes dramatically."

If properly coded, the HTML link could forward itself to the sender of every e-mail stored in the victim's in-box, Parcens said. The result: a deluge of e-mail.

On Friday, Microsoft confirmed that the security hole existed on its Hotmail Web-based mail service, but that it had plugged the hole by Friday afternoon.

"We sent it over to the Hotmail team," said Steve Lipner, manager for Microsoft's security response center. "They fixed it as of about noon."

As of late Friday, Yahoo had not fixed the hole. But a company representative said it would be fixed by the end of the day.

Details about the vulnerability were published to a security information list on Thursday. While Parcens claimed that he contacted both Microsoft and Yahoo on 23 May, Microsoft had no idea the hole existed until the advisory went up, Lipner said.

Parcens said he sent the information to several Hotmail addresses, but not to security@microsoft.com, the normal channel for such advisories. "I did notify the company through the best channels I could find on the Hotmail site," he said.

While the hole could lead to clogged servers, much of the danger will be gone by Saturday morning, after both companies have fixed the vulnerability. The fact that a simple server fix can prevent the flaw from being exploited means that this particular security hole will be short-lived.

Typically, when the vulnerability is in a software application, Microsoft has to issue a patch and then hope that people download and install the fix.

"We don't love any of these things," Lipner said. "But the nice thing about a Hotmail server issue is that when we find one we can patch it and that's it."

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards