Vulnerability

    hotmail

Affected

    Hotmail

Description

    Georgi Guninski found yet another Hotmail security hole  injecting
    JavaScript  in  IE  using  "@import url(javascript:...)".  Hotmail
    allows executing JavaScript code in email messages using  "@import
    url(javascript:...)", which may compromise user's Hotmail  mailbox
    when viewed with Internet Explorer.

    There is  a security  flaw in  Hotmail which  allows injecting and
    executing JavaScript code in an email message using the javascript
    protocol.   This  exploit  works  on  Internet  Explorer.  Hotmail
    filters the "javascript:" protocol for security reasons.  But  the
    following JavaScript is executed: "@import url(javascript:...)".

    Executing JavaScript  when the  user opens  Hotmail email  message
    allows for example displaying a  fake login screen where the  user
    enters  his  password  which  is  then  stolen.  No need for scary
    demonstration, but it  is also possible  to read user's  messages,
    to send messages  from user's name  and doing other  mischief.  It
    is  also  possible  to  get  the  cookie  from  Hotmail,  which is
    dangerous.   Hotmail deliberately  escapes all  JavaScript (it can
    escape) to prevent such attacks, but obviously there are holes.

    The code that must be included in HTML email message is:

        <style TYPE="text/css">
        @import url(javascript:alert('Javascript is executed'));
        </style>

Solution

    Workaround: Disable Active Scripting.