The company applied a fix for the vulnerability on Tuesday, shortly after Israeli security company GreyMagic Software published an advisory warning about the problem. The same problem also affects Microsoft's Hotmail e-mail service.

Microsoft was informed on March 11 and patched its Hotmail service before the vulnerability was disclosed. However, security researchers at GreyMagic were unable to reach Yahoo, GreyMagic says.

Sneaky Script
Hotmail and Yahoo filter incoming HTML-format e-mail messages for malicious code. But the filtering, combined with an Internet Explorer feature used to process extensions to HTML called Timed Interactive Multimedia Extensions (HTML + TIME) made it possible to inject malicious script into incoming e-mail messages, GreyMagic says.

"Up until now, consumers have been less willing to adopt e-reading applications because The script runs when the Web e-mail message is opened, and could be used to exploit the machine on which the Web mail was being read, according to GreyMagic. The security hole could allow attackers to steal log-in and password information, or to browse the contents of an e-mail account while a user was running IE to check the Web mail account, the company says.

"We learned of a cross-site scripting issue in Yahoo Mail, and immediately began working towards a resolution which was implemented yesterday," says Mary Osako, senior director of communications at Yahoo, in an e-mail statement.

Yahoo does not know of any users who were affected by the vulnerability, Osako adds.

Source: PC World