Re: New Hotmail hole discovered

[mea culpa <jericho () DIMENSIONAL COM>]

Reply From: Jason Axley <jason.axley () attws com>

> Date: Wed, 15 Sep 1999 20:37:50 -0600
> From: mea culpa <jericho () DIMENSIONAL COM>
> Subject: [ISN] New Hotmail hole discovered
>
> From: Robert Kemp <sensuant () hotmail com>
> http://www.zdnet.com
> New Hotmail hole discovered
>
> Javascript can be used to jimmy open Hotmail accounts, bugfinder says.
> 'This is not a security issue,' Microsoft says.

[details omitted to emphasize the irresponsible views of Microsoft]

> Microsoft (Nasdaq:MSFT) is not claiming ownership of this latest problem.
> "This is not a Hotmail security issue. We see it as an example of people
> encouraging users to run malicious code on the Web," a Microsoft
> spokesperson said.
>
> "To protect yourself now, you can disable JavaScript, just disable it
> before using Hotmail, or do not open mail from unknown people when you
> think it might contain JavaScript," the spokesperson added. "Microsoft is
> investigating ways for Hotmail users to have greater security against
> threats posed by malicious use of JavaScript in e-mail."

This _is_ a real security issue in hotmail.  That said, I can't believe:

1) that MS would claim that it is not their problem that their hotmail
software allows javascript to creep into emails.  They just aren't
filtering it out from all possible places.

2) That they blame the finders of the problem (i.e. kill the messenger)
for "encouraging users to run malicious code on the web" rather than
taking responsibility for it.

3) Additionally, they still are claiming that it is the user's problem if
they do not disable javascript before going to hotmail (as if they are
supposed to know to do that or be expected to do so) and they claim that
users should know to not open emails from unknown sources.  This is
ridiculous posturing.  If all security was left in the hands of users--how
secure would we be?  Scary thought.

MS had taken several steps forward in their handling of security problems.
With this, they may have taken a giant leap backwards.

Now, in Microsoft's defense, the question to ask of zdnet is "Who is your
source?" "A Microsoft spokesperson" is not very descriptive, nor does it
indicate that this individual is qualified to be making these statements.
I challenge zdnet to back up their story...

-Jason

AT&T Wireless Services
IT Security
UNIX Security Operations Specialist

ISN is sponsored by Security-Focus.COM