Microsoft patches information-stealing Hotmail bug
Targeted emails take advantage of CSS filtering flaw in popular email service
Microsoft has patched a zero-day flaw in its Hotmail email service which hackers were using to steal emails and details of the victims' contacts, according to researchers at security firm Trend Micro.
In a Monday blog post, threat response engineer Karl Dominguez explained that the victim needs only to open the specially crafted message for it to execute an embedded script.
The URL to which the script connects varies according to the Hotmail user's ID and a pre-defined number, indicating that the attacks are highly targeted, Dominguez said.
The URL then leads to another script which triggers a request which is sent to the Hotmail server, forwarding all the victim's emails to the hacker's email address.
"The attack takes advantage of a script or a CSS filtering mechanism bug in Hotmail. Microsoft has already taken action and has updated Hotmail to fix the bug," said Dominguez.
"The malicious scripts and the URL related to this attack are already being detected and blocked by the Trend Micro Smart Protection Network file and web reputation technologies."
Dominguez added that Trend Micro researchers found that Hotmail's filtering engine actually helps the cyber criminals in this attack.
It does so by working on the embedded script contained in the targeted malicious emails to convert the script into two separate lines for further rendering in the web browser's CSS engine.
"This allows the cyber criminals to turn the script into something that allows them to run arbitrary commands in the current Hotmail log-in session," he explained.
Rik Ferguson, Trend Micro director of security research, arged that the incident proves cyber criminals are looking to get a better return on their investment.
"The active exploits of these vulnerabilities demonstrate that criminals no longer solely rely on attacking individual users and computers," he added.
"The best advice for Hotmail users would be to not open unexpected emails from senders they aren't familiar with, not just in this case but as a matter of best practice."
V3 Latest
First plant to grow on the Moon, err, dies
Cotton seedling freezes to death as Chang'e-4 shuts down for the Moon's 14-day lunar night
Fortnite news and updates: Fortnite made $2.4bn in 2018, according to SuperData
Fortnite easily out-earns PUBG, Assassin's Creed Odyssey and Red Dead Redemption 2 in 2018
Japanese firm sends micro-satellites into space to deliver artificial meteor showers on demand
Meteor showers as a service will be visible for about 100 kilometres in all directions
Saturn's rings only formed in the past 100 million years, suggests analysis of Cassini space probe data
New findings contradict conventional belief that Saturn's rings were formed along with the planet about 4.5 billion years ago