Yahoo has patched a hole in its Web e-mail service that could have allowed hackers to run their own computers accessing their e-mail through Internet Explorer.
The company applied a fix for the vulnerability shortly after Israeli security company GreyMagic published an advisory warning about the problem, which also affected Microsoft's Hotmail service.
Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. However, the filtering, combined with an Explorer feature used to process extensions to HTML, called HTML + TIME, made it possible to inject malicious script into incoming e-mail messages, GreyMagic said.
The script would be run when the Web e-mail message was opened and could be used to exploit the machine on which the mail was read. The security hole could allow attackers to steal login and password information, or browse the contents of an e-mail account.
"We learned of a cross-site scripting issue in Yahoo Mail, and immediately began working towards a resolution which was implemented yesterday," said Mary Osako, senior director of communications at Yahoo, in a statement.
Microsoft was informed on March 11 and patched its Hotmail service before the vulnerability was disclosed. However, security researchers at GreyMagic were unable to reach Yahoo, GreyMagic said. Yahoo does not know of any users who were affected by the vulnerability, Osako said.