Re: [Full-Disclosure] AOL refuses to help AIM users

• Previous message: Jeroen Doorn: "RE: [Full-Disclosure] Global HIGH Security Risk"
• In reply to: ATD: "[Full-Disclosure] AOL refuses to help AIM users"
• Next in thread: John.Airey@rnib.org.uk: "RE: [Full-Disclosure] SQL Slammer - lessons learned"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Berend-Jan Wever" <SkyLined@edup.tudelft.nl>
To: <full-disclosure@lists.netsys.com>
Date: Tue, 4 Feb 2003 13:41:14 +0100

Hi all,

McAfee has the same problem. McAfee does the virus-scanning for hotmail. I
discovered a vuln in hotmail a while ago that allowed XSS and wrote a PoC
virus in 100% javascript that would spread itself to everyone in the
addressbook. I informed hotmail about the XSS hole: They fixed the problem
within hours (go Microsoft!).
I also wanted to inform McAfee that they need to update their scanners. I
got a message back asking for my user registration number. I told them I
wasn't a registered user asking for a helpdesk but that I was reporting a
virus which their scanners did not detect. I got back another "We don't read
email without your number..." email.

Berend-Jan Wever

PS. No! The source of the hotmail virus will not be disclosed and it doesn't
work without a XSS hole in Hotmail anyway.

From: "ATD" <simon@snosoft.com>

All,
 Has anyone on this list ever tried to report a security issue to AOL? I
just tried to do that and was literally told, "Corporate policy states
that we do not help our free users.". I said, "I suppose thats because
you don't make any money off of the free users". The man on the other
end of the line being their security expert then stated, "thats right".
Is this how they treat their prospective clients, end users, and free
users? What can we do about this?

--
ATD <simon@snosoft.com>
Secure Network Operations, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Next message: Melvyn Sopacua: "RE: [Full-Disclosure] Global HIGH Security Risk"
• Previous message: Jeroen Doorn: "RE: [Full-Disclosure] Global HIGH Security Risk"
• In reply to: ATD: "[Full-Disclosure] AOL refuses to help AIM users"
• Next in thread: John.Airey@rnib.org.uk: "RE: [Full-Disclosure] SQL Slammer - lessons learned"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Cannot send emails ... Malke had this to say: ... Having problems sending emails from hotmail ... >> not to interfere with McAfee. ... (microsoft.public.security) Re: Patch Hoax ... I don't want you to get confused into thinking that I have McAfee installed ... , as I mentioned, MSN (The providers of Hotmail) ... > virus, because 1) you'd need to save it to your hard drive before your AV ... (microsoft.public.security) Re: Hotmail w/IE 6.028 xpsp2 ... >computer be able to negotiate SSL protocols when logging in, ... >McAfee). ... >Hotmail then works properly, re-enable each application in turn, by itself ... (microsoft.public.windowsxp.general) RE: 800C0008 ... It was an attachment on hotmail and McAfee said ... I run WMP 9.00.00.3008 on windows 98. ... (microsoft.public.windowsmedia.player) HOTMAIL XSS and AntiVirus Bypass Exploit ... and to show you a practical exploit of the XSS ... >on Hotmail webmail server, ... >build a request to... ... he will see that is downloading from ... (microsoft.public.security)