A serious flaw in the Yahoo and Hotmail email services could give someone control of your account, an Israeli security company has warned.
GreyMagic Software has produced an advisory that warns an Internet Explorer feature used to process extensions to HTML, called HTML + TIME, could allow attackers to steal login and password information, or browse the contents of an e-mail account. The company tested the vulnerability against Yahoo and Hotmail, but it could affect other e-mail services, it warned.
Microsoft was informed of the problem on 11 March and has already patched its Hotmail service against the hole. However, Yahoo users and users of other Web-based e-mail services could be vulnerable to attack using the security hole, GreyMagic said. Yahoo could not be reached for comment.
HTML + TIME, or Timed Interactive Multimedia Extensions for HTML, is a technology standard that adds support for media playback timing and SMIL files to HTML. It is intended to make it easier to deliver multimedia content to Web browsers over the Internet, according to the World Wide Web Consortium.
Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. However, the filtering, combined with support for HTML + TIME, makes it possible to inject malicious script into incoming e-mail messages, GreyMagic said.
The script would be run when the Web e-mail message is opened and could be used to exploit the machine on which the Web mail was being read. However, the IE browser had to be used to check the Web mail account for the exploits to work, the company said.
GreyMagic says the HTML + TIME vulnerability creates a new avenue for embedding malicious script in e-mail messages and may not be detected by other Web e-mail providers.