Yahoo! fixes Web mail vuln
Print storyFlawed script
Posted in Security, 11th December 2003 11:50 GMT
Free whitepaper – Certify your software integrity with Thawte code signing certificates
Yahoo! has closed a potentially devastating security loophole in its popular Web-based email service.
The script execution vulnerability in the service could have allowed crackers to launch a worm or mobile code attacks using maliciously-constructed email messages.
Yahoo's active content filter is supposed to block the injection of any active content into Yahoo! messages but security firm Finjan Software found this safeguard was easily foiled. Web-based email services from Outblaze and Excite had the same problem.
All three services are now fixed, according to security clearing house CERT.
The flaw would have allowed an attacker to input malicious script into a seemingly normal e-mail message. Potential victims opening a malicious e-mail would be hit with a malicious code attack, providing scripting was enabled on their Web browser.
In addition to destroying files, malicious code attacks could be used to steal personal information.
More info on the malicious script execution security flaw can be found here. ®
Free whitepaper – Securing your Apache web server with a Thawte digital certificate
The best practices guide for application security
Reducing messaging and web security costs with managed services
Avoiding 7 common mistakes of IT security compliance
Certify your software integrity with Thawte code signing certificates
The future of SaaS and IT infrastructure management
Feds: Hospital hacker's 'massive' DDoS averted
Buggy 'smart meters' open door to power-grid botnet
Microsoft knew of nasty IE bug a year before attacks
BlockMaster SafeStick hardware-encrypted USB drive