Originally published on TechWeb on February 16, 2001
In a statement issued Friday evening, Microsoft Corp. says it has already patched a reported hole in the security of its popular Hotmail Web-based e-mail system, after the Canadian consulting firm Neurocom warned of a potential spoof attack that could threaten 74 million users.
After having stated earlier that the company would further investigate Neurocom’s Friday morning warning, Microsoft (stock: MSFT) issued a correction, stating, “On February 14th, Neurocom released a press release claiming that Hotmail users were vulnerable…when in fact they were not, and had not been for over two weeks. We are at a loss to understand why Neurocom did this.”
Gregory Duchemin, an ethical hacker with Neurocom, apparently found the security hole.
“We had not contacted Microsoft, but they got in touch with us,” said Rosy Zaour, a Neurocom spokeswoman, on Friday. “However, they haven’t followed up on confirming the information yet.”
Neurocom said that, by using cascading style sheets (CSS), hackers could easily replicate the look and feel of Web-based mail packages, leaving the user unaware of the fact that they have a problem.
CSS is a standardized tool used by most Web site designers to simplify the means by which browsers lay out and display complex Web pages.
By exploiting features of CSS, the offending e-mail message could manufacture a login screen that appears identical to the real Hotmail login, but which sends the login informatioincluding passworto the hacker’s server.
According to a statement from Neurocom, “a hacker will use a Trojan horse written in HTML language and having for result [sic], when opening the mail, to recover the totality of the [browser] screen and to display the perfect replica of Hotmail’s re-login page.
“The users’ passwords for these kinds of services are all susceptible to being discovered thanks to this technique,” Neurocom said.
Microsoft’s statement late Friday went on to read, “Unfortunately, this case is an example of how NOT to handle a security vulnerability. Not only did Neurocom fail to work with, or even notify, the vendors to resolve the problem, its February 14th press release was irresponsible, not to mention inaccurate.”
Indeed, as of late Friday evening, no message had been posted to the BugTraq mailing list by Neurocom since its January 30 statement that the so-called “css/div” hole had been fixed.
Security engineer Mark Kadrich, the former principal consultant for INS Security, said the trick “is a directed attack, in that the exploit is buried as an attachment within an e-mail message.”
Microsoft fixed what it called “similar sounding” problems with Hotmail in December. Yet the company is concerned that Neurocom went ahead and publicized the weakness even after the fix was made.
So, how can users employ filtering mechanisms to prevent such incursions?
“The right way to implement a filtering system is to have a list of good HTML syntax, and only allow those tags in instead of trying to filter out known bad things,” said Elias Levy, CTO of securityfocus.com, a security consulting firm.
“It’s a good trick,” said Rick Steinberger, technical director of SecurityPortal.com, a security website. “There’s nothing that says how widespread this is, but my guess would be that this has some potentials to take off. It’s violating the privacy of those people, and you could imitate them or delete their e-mail.”
Steinberger said users need to be smart about potential attacks.
“This is not that different from the Anna Kournikova virus,” he said, “in that it gets people to do something unwise. A lot of people are not terribly sophisticated about their interaction on the Internet.”
Rafael Feitelberg, CEO of security solutions provider Gilian Technologies, Redwood Shores, Calif., believes the type of exploit that plagues Hotmail theoretically could affect any website that utilizes a login page or a data input form.
But ordinary security software, Feitelberg stated, wouldn’t be able to detect such a spoof as it was happening, because the site being spoofed is not the one sending out the false login page.