Vulnerability

    hotmail

Affected

    Hotmail

Description

    Georgi  Guninski  found  yet  another  Hotmail  security  hole  by
    injecting JavaScript using "jAvascript:".  Hotmail allows
    executing JavaScript code in email messages using:

        <IMG SRC="jAvascript:alert('Javascript is executed')">

    which  may  compromise  user's  Hotmail  mailbox  when viewed with
    Internet Explorer.

    Some time  ago Hotmail  fixed the  "javasCript" bug,  but now a
    similar issue arrises using hexademical codes of characters. There
    is a security flaw in Hotmail which allows injecting and executing
    JavaScript code in an email message using the javascript protocol.
    This  exploit  works  on  Internet  Explorer.  Hotmail filters the
    "javascript:"  protocol  for  security  reasons.   But it does not
    filter  properly  the  following  case:  "jAvascript"   where
    "A" is the  hexademical ASCII code  of "A".   So the following
    HTML  is  executed  <IMG SRC="jAvascript:alert('Javascript is
    executed')">  if  the  user  has  enabled automatically loading of
    images (most users have).

    Executing JavaScript  when the  user opens  Hotmail email  message
    allows for example displaying a  fake login screen where the  user
    enters his password which is then stolen. No need to make a  scary
    demonstration, but it is also possible to read user's messages, to
    send messages from  user's name and  doing other mischief.   It is
    also possible to get the cookie from Hotmail, which is  dangerous.
    Hotmail deliberately  escapes all  JavaScript (it  can escape)  to
    prevent such attacks, but obviously there are holes.

    The code is:

        <IMG SRC="jAvascript:alert('Javascript is executed')">

Solution

    Workaround: Disable Active Scripting