Hotmail Danger Alert ! - Wilders Thread

There is a long thread at Wilders about hotmail's behavior when deleting an email that's just been read. The next email automatically comes up, there is no way to alter this. I have hotmail as a secondary address and as a way of emailing myself and have coped with this by going back to the Inbox and deleting from there. BTW, MSN by default behaves this way, the user has to alter this.

What's funny or tragic, probably a little of both, a corporate IT person posted to the effect that this wasn't known and that this probably has been the source of infections for years which they haven't been able to track down all this time.

http://www.wilderssecurity.com/showthread.php?t=60598

Regards - Charles

 

Sorry to haunt your news threads charles, but my Shenanigans alarm was going off, i had to investigate this FUD.

Point of fact 1) Hotmail is web based and is viewed through a browser (for the purposes of this vector discussion)
2) Inbound HTML mail is highly filtered before you ever get to see it
3) Hotmail has in the past had some problems with html mail not being stripped enough. See here and here. With poorly configured client browsers, there was potential for problems
4) People with XPSP2 would not have been affected by the problems I referenced above, because the browser would have clamped it. Older clients with inadequate security settings were vunerable to these bad scripts in the same was they were vulnerable to malicious web pages.


I don't see what he is basing his assertion that you are exposed to any risk by opening an email. I see no examples of a hole in the HTML filtering, nor recommendations for settings for older client browsers to prevent malicious behavior.
The other poster speculated this was a vector for his company getting viruses over the years. Hotmail scans attachments for you and prestrips HTML mail in an effort to protect you, and I must assume that a company with IT staff is semi-managing thier client IE configurations to enforce appropriate security. I don't see it.

I can appreciate his concerns, but the only thing this really opens you up to is webbug images. This can easily be prevented by setting the following hotmail mail option. I do advocate this setting, as it affords you one less vector for more spam.

 

Hi Ben,

Sorry to haunt your news threads charles

Happy that you do, that's why I post this stuff. The more info and points of view, the better.

Is it ok with you if I cross-link? I anticipate noise over there because you work for MS.

Regards - Charles

 

Its a free country, cross link if you wish. I will note that I am not a security expert, nor is any of the information i post here reviewed, certified, or factual.
Security is serious stuff, and Microsoft takes it very seriously. Enough so that we have a whole group dedicated to it. If they come looking for an official microsoft response, then they will be dissapointed.

I would encourage you to direct the poster of that thread to contact the Hotmail security team if he truely wants to help. They are in the position to effect change if needed. http://www.microsoft.com/technet/security/contact.mspx

 

Ok Ben, took your suugestion and posted the Hotmail link.

Thinking about cross-linking, decided not to, probably less than useful; it would just get in the way.

Regards - Charles

 

I have a hotmail account and have discovered this:

In the inbox, open the mails starting at the top message, delete the message and the next one in line will automatically open.

If, however, you open them starting at the bottom, delete the message and the program goes back to the inbox and waits for you to open the next message you choose.

I could find no option having to do with making this behavior change.