Re: New exploit can freeze web browsers!

[Marc Slemko <marcs () ZNEP COM>]

On Fri, 11 Aug 2000, Michael Wheaton wrote:

> Everyone wants to freeze someone's computer when they
> read an e-mail, right?  Hotmail has put their security
> way up but still Yahoo!Mail and hundreds of others can
> be used to freeze a person's computer easily!  As you
> know, JavaScript can be used to execute functions on a
> person's computer without their permission to do so.
> A while ago you used to be able to execute JavaScript
> on HotMail but they've completely removed that
> possibility for now.  JavaScript has been blocked out
> of many other popular e-mail programs but I have
> discovered a method to get past this.

There is nothing new about this, and in general freezing their computer
isn't too entertaining.  The more useful (and annoying to the user) stuff
is when you steal their web based email account.

You can still execute arbitrary javascript on a majority of user's
browsers on a vast majority of web based email services, including
hotmail, yahoo mail, etc.  All it takes is being a little crafty
with the HTML, perhaps including exploiting browser specific issues
like IE's bug where it will treat "java\000script" like "javascript",
where \000 is a null character.

Until these companies get over the misconception that they have any
hope of filtering only "bad" HTML out of messages, this will continue
to be an issue.  Hotmail has been vulnerable to such attacks 100% of the
time since it was started, people just haven't found it interesting
enough to keep finding the next way to work around their filters or
they haven't kept posting them.

Combine this with poor use of cookies from a security standpoint and the
requirement of many web based email services that you have javascript
enabled just to use the service... and you leave yourself wide open.

The task that lies in front of providers of web based email is to
add a safe mode, that may or may not be enabled by default, that
does not allow HTML to be interpreted in messages at all.  Then
they can also have a mode where a specific subset of HTML is
permitted, and everything else is denied.  Then they have a last
resort mode that lets you read a message with everything except
what they think is "unsafe" markup passed through, that you can
use for a particular message if you have cause to.  As long as hotmail
continues along its current path of "we think we can filter out the
bad stuff", they will always be vulnerable.  Period.

Sure, I could include yet another example of a hotmail exploit.  But what
is the point?