Wednesday, April 22, 2009

Adventures & frustrations with Microsoft Security Response Center

The following was a security inquiry initiated by myself to Microsoft regarding the behaviour of the preview pane in Hotmail. The first part of the entry is my final communication with Microsoft Security Response Center to which they have not bothered to reply to. As you read down, you will also see my earlier security report. A copy of this post is at the Leoville Town Square Information Technology Message Board. The direct post link is:

http://leovilletownsquare.com/fusionbb/showtopic.php?fid/33/tid/26643/pid/180964/post/last/#LAST


.......................................................................................................................................................................

Hotmail reading pane loading security issue‏
From: (msdogfood@hotmail.com)
Sent: April 14, 2009 8:40:28 PM
To: Microsoft Security Response Center (secure@microsoft.com)
Hello

Iam aware that Hotmail does it's own security checks however, my fundamental issue is the reading pane will load one message right after the other into the preview window even when you set it not to. This can be considered a security risk because lets assume the security features of Hotmail don't block everything they are supposed to block. One of the ways you can make sure there is less chance of a security risk getting through is force a user to select the message to activate the preview window. In Outlook 2007 you have this as a standard security setting. Please add this feature to Hotmail or fix the existing setting to work correctly. You are correct in saying most of the time content is automatically blocked as it should be, however, there are times where certain graphics are displayed and certain actions are allowed to happen. If you request an example, I'll have to find one but it won't be too difficult to locate one.

Best regards
msdogfood@hotmail.com


> From: secure@microsoft.com
> To: msdogfood@hotmail.com
> CC: secure@microsoft.com
> Date: Fri, 10 Apr 2009 09:19:50 -0700
> Subject: RE: Hotmail reading pane loading security issue
>
> Hi,
>
> Hotmail does its own security checks before a message is delivered to the mailbox and if not everything in the message is trusted then the system will automatically disable links, pictures, etc. and display a yellow banner asking for you to confirm that the message is safe.
>
> Regards,
> Nate
>
> -----Original Message-----
> From: [mailto:msdogfood@hotmail.com]
> Sent: Thursday, April 09, 2009 7:37 PM
> To: Microsoft Security Response Center
> Subject: Hotmail reading pane loading security issue
>
> Hello
>
> Just to be clear, you do not find it a security issue if the reading pane automatically loads one message after the other after the user selects the first message? I took your suggestion and shut off the reading pane as a test. However, after I manually selected an email, read it and deleted it, the next message automatically loaded itself. I still feel that this is a security risk because if it is a message from a person I don't know and it loads whether I choose it or not, it is an open invitation for any security risk that is not blocked.
>
> You shouldn't always assume that the preview pane will always be able to keep the user safe. As I recall, when you added the preview pane to Microsoft Outlook with the understanding the user would be perfectly safe, you then had to do several years of security patches to plug up the holes hackers got through. Please assure me that even though the pane loads graphics as well as text that your security system will keep my system safe and if not, fix the autoloading bug.
>
> Thanks
>
>
> > From: secure@microsoft.com
> > To: msdogfood@hotmail.com
> > CC: secure@microsoft.com
> > Date: Mon, 6 Apr 2009 07:23:02 -0700
> > Subject: RE: Hotmail reading pane loading security issue
> >
> > Hello,
> >
> > Thank you for your message regarding features of the Hotmail system. After reviewing your report, this is not something that the MSRC will consider for case. If you are concerned with messages being displayed in the reading pane it is possible to turn the reading pane off by clicking on the options menu and selecting off under reading pane settings.
> >
> >
> > Best Regards,
> > Nate
> >
> > -----Original Message-----
> > From: [mailto:msdogfood@hotmail.com]
> > Sent: Sunday, April 05, 2009 6:11 PM
> > To: Microsoft Security Response Center
> > Subject: Hotmail reading pane loading security issue
> >
> > Hello
> >
> > This is to report a possible security issue with the Hotmail reading pane.
> >
> > Version information: M3 Hotmail release and up.
> >
> > After I select an unread message that I am suspicious of in the inbox and the reading pane loads the message, I read it in the pane and either choose to delete or mark as spam. After this action, the reading pane automatically loads the next ascending message in the pane without my selecting it, thus loading any content into the viewing window even if it has been deemed dangerous by your own security technology. This will occur even if you set the reading pane to not load any message or take any action until the user selects the message to be opened. I know by design the reading pane is supposed to let you view the message without accessing the message but with it automatically selecting the next message and loading the preview, there is a possibility that an attacker could find a weakness in the blocking methods built into the reading pane.
> >
> > Here is what I would recommend. If a user chooses to select the message for the reading pane, then the next message should not automatically load but be chosen again by the user. The pane should wait for user action. You might also consider removing the reading pane altogether so the user has to choose the message every time. Yes, it is more inconvenient for the user to open a message every time, but it would be easier to control.
> >
> > If you require any further information, please contact me at:
> >
> > msdogfood@hotmail.com
> >
> > Thanks
> >
> >
> >
> >
> > ________________________________
> >
> > Tell the whole story with photos, right from your Messenger window. Learn how!
>
>
> ________________________________
>
> Create a cool, new character for your Windows Live(tm) Messenger. Check it out

Tell the whole story with photos, right from your Messenger window. Learn how!