March 24, 2004, 4:52 PM — Yahoo Inc. has patched a hole in its Web e-mail service that could have allowed malicious hackers to run malicious computer scripts on computers that use Microsoft Corp.'s Internet Explorer Web browser to check Web e-mail accounts.
The company applied a fix for the vulnerability on Tuesday, shortly after Israeli security company GreyMagic Software published an advisory warning about the problem, which also affected Microsoft's Hotmail e-mail service.
Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. However, the filtering, combined with an Internet Explorer (IE) feature used to process extensions to HTML (Hypertext Markup Language) called HTML + TIME (Timed Interactive Multimedia Extensions), made it possible to inject malicious script into incoming e-mail messages, GreyMagic said.
The script would be run when the Web e-mail message was opened and could be used to exploit the machine on which the Web mail was being read. The security hole could allow attackers to steal login and password information, or browse the contents of an e-mail account when IE was used to check the Web mail account for the exploits to work, the company said.
"We learned of a cross-site scripting issue in Yahoo Mail, and immediately began working towards a resolution which was implemented yesterday," said Mary Osako, senior director of communications at Yahoo, in an e-mail statement.
Microsoft was informed on March 11 and patched its Hotmail service before the vulnerability was disclosed. However, security researchers at GreyMagic were unable to reach Yahoo, GreyMagic said.
Yahoo does not know of any users who were affected by the vulnerability, Osako said.