Security company Finjan Software Inc. detected a security vulnerability in Microsoft Corp."s Hotmail Web-based e-mail service, which Microsoft has since closed, the companies said Wednesday. The new security flaw, known as a cross-site scripting vulnerability, could be used to create an Internet worm that steals e-mail addresses from Hotmail users" accounts, captures credit card numbers or installs Trojan horse programs, Finjan said. The vulnerability exists in the way that Hotmail treats e-mail containing ActiveX controls, which are small, portable pieces of software code that enable programmers to embed sophisticated user interface elements into Web pages for use over a corporate intranet or the Internet. Hotmail content filters do not adequately block e-mail messages containing the controls, Finjan said.
In cross-site scripting attacks, malicious hackers embed attack code in Web pages or HTML e-mail messages. Once executed, cross-site scripting attacks can give attackers access to personal account or financial information or control over a remote machine. As a result of the Hotmail vulnerability, attackers could run malicious code on the computer of a Hotmail user who opened an e-mail containing the malicious ActiveX control, Finjan said. By embedding a worm engine in the e-mail and code that would grab the addresses from the Hotmail user"s address books, attackers could use the Hotmail vulnerability to make a worm, Finjan said. A Microsoft spokesman said the company was informed of the problem by Finjan on Sept. 8 and patched the company"s Hotmail systems within 24 hours. No Hotmail users were affected by the cross-site scripting vulnerability, which no longer affects Hotmail users, he said.