Hotmail and Yahoo have left open a security hole that could be exploited to create a self-mailing worm that, while not damaging, could clog Internet mail servers.
The vulnerability allows an attacker to create an email containing an HTML link that can act as a worm. If clicked by a user of one of the vulnerable Web-based email services, the HTML code will execute, making it possible to manipulate the person's in-box and send email, said Matt Parcens, the independent software specialist who discovered the flaw.
"The webworm has serious short-term danger, but less of a danger in the long term," he said. "For the webworm to be active, a hole must exist on the same server that serves the mail. This limits the number of possible holes dramatically."
If properly coded, the HTML link could forward itself to the sender of every email stored in the victim's in-box, Parcens said. The result: a deluge of email.
On Friday, Microsoft confirmed that the security hole existed on its Hotmail Web-based mail service, but that it had plugged the hole by Friday afternoon.
"We sent it over to the Hotmail team," said Steve Lipner, manager for Microsoft's security response center. "They fixed it as of about noon."
Details about the vulnerability were published to a security information list on Thursday. While Parcens claimed that he contacted both Microsoft and Yahoo on May 23, Microsoft had no idea the hole existed until the advisory went up, Lipner said.
Parcens said he sent the information to several Hotmail addresses, but not to security@microsoft.com, the normal channel for such advisories. "I did notify the company through the best channels I could find on the Hotmail site," he said.
The fact that a simple server fix can prevent the flaw from being exploited means that this particular security hole will be short-lived.
Typically, when the vulnerability is in a software application, Microsoft has to issue a patch and then hope that people download and install the fix.
"We don't love any of these things," Lipner said. "But the nice thing about a Hotmail server issue is that when we find one we can patch it and that's it."
