Microsoft has fixed a serious vulnerability in its Hotmail email program that tricks users into sending their usernames and passwords to an outside email address.
"We ... released a robust fix last night to the issue that was raised a couple of days ago," said Sean Fee, Hotmail's director of product marketing.
That issue was first raised on Monday, when Canadian Web developer Tom Cervenka published a demonstration of the simple vulnerability -- a Trojan horse that spoofs the appearance of a Hotmail screen, requesting a victim to re-enter both username and password.
The vulnerability uses standard HTML and JavaScript, a scripting language invented by Netscape that is embedded in HTML pages, to redirect the user's information to another email address.
On Monday, Hotmail implemented a fix to the problem, removing all occurances of "" -- the HTML tag that signifies the beginning of a JavaScript code sequence in an HTML document -- in its members' incoming messages.
But this was only a temporary fix, since JavaScript code can be hidden in other places in an HTML document. Cervenka improved his demo only minutes later with a real-life example, hiding the code in an HTML image tag.
"It's just a matter of filtering JavaScript tags out of the Web site in a more thorough way then they've been doing so far," said Cervenka.
The fix Hotmail implemented last night accomplishes this, filtering out all scripting code in incoming mail messages.
"They did the right thing and decided to nix JavaScript in messages altogether," said Web developer Dannie Gregoire, who claims that he was the first to discover the vulnerability. He published a demonstration of the technique on 12 August, calling it a "Spartan horse" for its simplicity in execution.
He said that he verified through server logs that Cervenka visited his site on 14 August, and claims that Cervenka stole the idea from him. While Gregoire's demonstration mimics the Windows 95/98 dialup window instead of Hotmail, he said that the principle was the same.
Gregoire is satisfied with last night's fix.
"I banged on them for a while and it looks like [Hotmail] thought of most of the obvious means of prevention," he said.
While Fee said that this isn't the total solution that they'd like -- since they want it to be possible for people to send legitimate mail messages that contain scripting -- providing a reliable solution quickly was more important.
With over 22 million members and more than 100,000 new accounts created daily, Hotmail is the world's biggest free Web-based email service.
