Security Experts:

Connect with us

Hi, what are you looking for?



Recently-Patched HTML Sanitization Flaw Linked to Hotmail XSS Vulnerability

Microsoft Patched XSS Flaw After Google Security Researchers Found It Within Hotmail

The HTML sanitization flaw patched by Microsoft in this month’s Patch Tuesday appears to have been discovered originally as a cross-site scripting flaw on Microsoft’s Web-based Hotmail email service.

Microsoft Patched XSS Flaw After Google Security Researchers Found It Within Hotmail

The HTML sanitization flaw patched by Microsoft in this month’s Patch Tuesday appears to have been discovered originally as a cross-site scripting flaw on Microsoft’s Web-based Hotmail email service.

Microsoft patched CVE-2012-2520, which it identified as a HTML sanitization vulnerability affecting several Microsoft Office, Communications, and Server applications, in an “Important” bulletin released as part of October’s Patch Tuesday release. HTML strings are not properly handled by the application, giving attackers access to content they are not authorized to read, or the ability to take actions while pretending to be the user.

XSS Vulnerabilities in Hotmail

“An elevation of privilege vulnerability exists in the way that HTML strings are sanitized. An attacker who successfully exploited this vulnerability could perform cross-site scripting attacks and run script in the security context of the logged-on user,” Microsoft said in the advisory.

Drew Hintz and Andrew Lyons, two members of Google Security Team reported a persistent XSS flaw in Microsoft Hotmail in May this year. Microsoft acknowledged the two engineers for identifying the flaw in Hotmail in the Security Researcher Acknowledgments page on its Security TechCenter site, and Google identified the persistent XSS flaw found as CVE-2012-2520 on its own research page. Since the vulnerability has an unknown CVSS base score it is not clear how serious the flaw was, but it’s worth noting that Microsoft flagged the patch fixing the same flaw in several of its products as “important.”

Microsoft did not mention Hotmail at all in the advisory.

“In June 2012 Microsoft became aware of limited, targeted exploits of this issue in Hotmail and addressed the vulnerability immediately; while we addressed the same issue in Microsoft Office and Microsoft Server Software on October 9, we have no evidence of exploitation in the wild,” a Microsoft spokesperson told SecurityWeek.

The targeted attacks relied on a specially crafted HTML email containing JavaScript within CSS code which was sent to the recipient’s Hotmail address. Just the act of opening the message—no need to click on a URL— in Hotmail would have given the attacker full control over the recipient’s emails and account. Normally, HTML sanitization would have stripped out the JavaScript to render the message harmless. Only users on Internet Explorer 6 or 7 would have been affected by the attacks.

While the flaw was fixed in Hotmail right away, it appeared Microsoft looked for and fixed similar issues in other products, resulting in MS12-066 patch released earlier this week.

Affected software included Microsoft InfoPath 2007 and both 32-bit and 64-bit versions of Microsoft InfoPath 2010, Microsoft Communicator 2007 R2, 32-bit and 64-bit versions of Microsoft Lync 2010, Microsoft Lync 2010 Attendee, 32-bit and 64-bit versions of Microsoft SharePoint Server 2007 and 2010, 32-bit and 64-bit versions of Microsoft Windows SharePoint Services 3.0, Microsoft Groove Server 2010, Microsoft SharePoint Foundation 2010, and Microsoft Office Web Apps 2010.

Microsoft has a common library that it uses across many products to prevent XSS attacks, and it was likely this library which contained the sanitization flaw, Bill Pennington, the chief strategy officer of WhiteHat Security, told SecurityWeek. Even though SharePoint is sold as shrink-wrapped software, it is typically deployed with a Web-based UI, which means the application is vulnerable to XSS attacks. Instant messenger clients often use Internet Explorer to render HTML content. Most administration user interfaces are moving to the Web, opening up an attack surface for XSS issues for more desktop applications, Pennington said.

“Anything that uses a browser or HTML rendering components that executes client-side code is potentially vulnerable to XSS attack,” Pennington added.

For the applications patched as part of the Patch Tuesday release, the attacker would have had to convince a user to click on a link that goes to a specially crafted URL or send the user a specially crafted chat message, Microsoft said in the advisory.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet