An Israeli security company is warning users of Yahoo's Web e-mail service and Microsoft's Hotmail service of a serious security flaw that could allow remote attackers to run malicious scripts on computers using Microsoft's Internet Explorer Web browser to check Web e-mail accounts.
The vulnerability was discovered in an Internet Explorer feature used to process extensions to HTML called HTML + TIME. The security hole could allow attackers to steal log-in and password information, or browse the contents of an e-mail account, according to an advisory released by GreyMagic Software.
The company tested the vulnerability against Yahoo and Hotmail, but it could affect other e-mail services, GreyMagic said.
Microsoft was informed of the problem on March 11 and has already patched its Hotmail service against the hole. However, Yahoo users and other users of Web-based e-mail services could be vulnerable to attack via the security hole, GreyMagic said.
Yahoo could not be reached for comment.
HTML + TIME, or Timed Interactive Multimedia Extensions for HTML, is a technology standard that adds support for media playback timing and Synchronized Multimedia Integration Language files to HTML. HTML + TIME is intended to make it easier to deliver multimedia content to Web browsers over the Internet, according to the World Wide Web Consortium.
Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. However, the filtering, combined with support for HTML + TIME, makes it possible to inject malicious script into incoming e-mail messages, GreyMagic said.