Took 24 hours to fix the problem - and a mere two years to find it in the first place...
By Robert Lemos
Published: 16 October 2003 09:56 GMT
Responding to a warning from a maker of antivirus software, Microsoft has fixed a security flaw in Hotmail that would have left the widely used web-based email service vulnerable to collapse at the hands of online vandals.
US company Finjan Software said on Wednesday that it told Microsoft of the flaw on 8 October and that the software giant fixed the problem within 24 hours. The vulnerability could have allowed an attacker to use the interactions between Hotmail components to expose a user's address book and send emails. The two functions could have been used to start a Hotmail worm that would have spread whenever a user opened up an infected email, said Menashe Eliezer, manager of Finjan's virus research lab.
"You could read the contact list and send email," Eliezer said. "A worm would have propagated quickly," potentially crippling the network.
Microsoft has been plagued by security concerns. In May, the company scrambled to close a hole in its Passport identity-management system, which acts as the gatekeeper for the Hotmail system and other Microsoft online services. The company recently announced new attempts to secure its customers' systems, including patches that are easier to manage, a focus on default security settings and an initiative to educate its users.
In the case of this most recent Hotmail flaw, the service's active content filter, which polices the activities of ActiveX controls, did not adequately block all scripts, according to Finjan. ActiveX controls are internet programs that add interactivity to websites and run on a computer as if they were the user of that machine. Any system that accessed Hotmail email messages could be affected by the flaw.
Because the service itself was flawed, the fix was easy to apply and took effect immediately, Eliezer said.
Microsoft confirmed that it had received a warning from Finjan and fixed the flaw, but it wouldn't immediately comment on how the flaw escaped its nearly two-year effort, known as the Trustworthy Computing Initiative, to secure its systems.
Robert Lemos writes for CNET News.com
With this in mind, they are looking to recruit a Programme Controls and Planning Manager (PCPM) to Join their Project Management Office. The company ...
The role is for a controls engineer with electrical experience and is an initial contract with view to go permanent. Role profile below: -Initial ...
Prestigious client urgently requires an experienced Systems Engineer/Software Controls Programmer to work on the creation of ESD and F&G Systems for ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy