Feeds

Malicious JavaScript shuts down Hotmail

Is there some reason why e-mail needs Java enabled?

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Micro$oft's engineering bias preferring features over security has turned on them again. The company was forced to take its Hotmail service off line for about four hours Wednesday to bung a security hole enabling a malicious spammer to intercept Hotmail authentication cookies and take over users' accounts. The exploit uses an HTML attachment containing malicious JavaScript. When the victim views the attached file, the script intercepts the cookies and forwards them to a hostile site. The cookies are used for authentication and give anyone who intercepts them complete access to the victim's account, an intrusion which could also yield access to POP account passwords stored on the Hotmail server. Hotmail blocks JavaScript in e-mail messages, but not in attachments. Hotmail has fixed the hole by redirecting victims who activate the attachment before the JavaScript has a chance to intercept the cookies. Further details on the exploit and an example of the attachment are available from Peacefire. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Bono apologises for iTunes album dump
Megalomania, generosity and FEAR of irrelevance drove group to Apple deal
Facebook, Apple: LADIES! Why not FREEZE your EGGS? It's on the company!
No biological clockwatching when you work in Silicon Valley
Arab States make play for greater government control of the internet
Nerds told to get lost in last-minute power grab bid at UN meeting
Apple SILENCES Bose, YANKS headphones from stores
The, er, Beats go on after noise-cancelling spat
Doctor Who's Flatline: Cool monsters, yes, but utterly limp subplots
We know what the Doctor does, stop going on about it already
Zippy one-liners, broken promises: Doctor Who on the Orient Express
Series finally hits stride, but Clara's U-turn is baffling
Don't bother telling people if you lose their data, say Euro bods
You read that right – with the proviso that it's encrypted
America's super-secret X-37B plane returns to Earth after nearly TWO YEARS aloft
674 days in space for US Air Force's mystery orbital vehicle
10 Top Tips For PRs Considering Whether To Phone The Register
You'll Read These And LOL Even Though They're Serious
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.