All the latest UK technology news, reviews and analysis
|
|
|
24 May 2011
Microsoft has patched a zero-day flaw in its Hotmail email service which hackers were using to steal emails and details of the victims' contacts, according to researchers at security firm Trend Micro.
In a Monday blog post, threat response engineer Karl Dominguez explained that the victim needs only to open the specially crafted message for it to execute an embedded script.
The URL to which the script connects varies according to the Hotmail user's ID and a pre-defined number, indicating that the attacks are highly targeted, Dominguez said.
The URL then leads to another script which triggers a request which is sent to the Hotmail server, forwarding all the victim's emails to the hacker's email address.
"The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail. Microsoft has already taken action and has updated Hotmail to fix the bug," said Dominguez.
"The malicious scripts and the URL related to this attack are already being detected and blocked by the Trend Micro Smart Protection Network file and web reputation technologies."
Dominguez added that Trend Micro researchers found that Hotmail's filtering engine actually helps the cyber criminals in this attack.
It does so by working on the embedded script contained in the targeted malicious emails to convert the script into two separate lines for further rendering in the web browser's CSS engine.
"This allows the cyber criminals to turn the script into something that allows them to run arbitrary commands in the current Hotmail log-in session," he explained.
Rik Ferguson, Trend Micro director of security research, arged that the incident proves cyber criminals are looking to get a better return on their investment.
"The active exploits of these vulnerabilities demonstrate that criminals no longer solely rely on attacking individual users and computers," he added.
"The best advice for Hotmail users would be to not open unexpected emails from senders they aren't familiar with, not just in this case but as a matter of best practice."
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
V3 examines the key strengths and weaknesses of Samsung's latest iPhone killer
Connect with V3.co.uk
Social networking is almost ubiquitous. This white paper examines the benefits and risks and it looks at the different ways companies can reconcile them
The importance of understanding your infrastructure
The Role: As a Field Service Engineer working from...
The Role: Make the most of your IT knowledge in one...
Head of IT / Infrastructure Manager (Marketing Services...
A Multi-national data analytic's and cloud computing...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?