Current category:Malware

Microsoft Patches Exfiltration Flaw in Hotmail

Hotmail flaw

Trend Micro, via Help Net Security, has reported a flaw in Microsoft’s Hotmail service that allows exfiltration via a script, enabling attackers to syphon off user contact information and messages from a users account.

The good news is that it’s patched already. The next bit of good news is that if a user logged out just after infection, the session for the hotmail account was ended, which stopped the exploit cold.

The ingenuity of the attack was such that it did not require a user to actually click on a link to work or download something, but just to open a specially crafted email which in turn would allow a script embedded into the email to do the dirty work.

The attack looks like it was specifically targeted, and used variables used by hotmail itself to work.

It is unknown at this time how many users might have been affected by the exploit, but kudos to Microsoft for the quick fix.

GD Star Rating
loading...

About Justin Bellinger

Justin is an experienced software professional, having worked in software and software security for nearly 20 years. Justin is VP of Security Products at SPAMfighter.
This entry was posted in Malware and tagged , , . Bookmark the permalink.

3 Comments

  1. Londyn says:

    Mann!!! I thought i was about to get me a ipad3 :-( I got this message at 2 in the morning :-( i mean who wouldnt get up for that!! but unfortunately its all a pice of crap im very dissapointed, let me go back to sleep :-(

  2. mandy beasley says:

    am i a winner?

  3. hawaiapril says:

    I recieved a text from this number whe I bought a new phone with the website attached… However, it isn’t the first time I have gotten a message like this. They want your credit card number to sign up for a minimum of two of their sponsors products. You have “won” nothing. What a waste of time.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>