Hotmail users angry over pulled photo feature

Relying on oft-criticized ActiveX technology, Microsoft hopes to fix security hole by the end of next month

Windows Live Hotmail users have been venting their frustration at Microsoft Corp. for the past month since the software maker suddenly removed a popular feature because it created a security hole.

The "Attach Photo" feature allowed users to directly add photos, images or graphics into e-mails. Users are allowed to quickly edit and add captions to the photos, which are automatically compressed by Hotmail, enabling users to attach more images per e-mail.

It is distinct from Attach File, which still works and lets users attach photos to e-mails without compressing them or giving users the ability to edit them first.

Users, such as Carl Creed, a retired system administrator in Leiston, England, say they first noticed Attach Photo was missing about three weeks ago.

He and other users have complained on the Windows Live Help support forum about Microsoft's failure to warn them beforehand and the "wasted hours" they spent trying to debug the feature on their own.

"If Microsoft had just told us end users that they were planning to remove this feature before they did remove it, we would not be so upset in the first place," Creed said in an e-mail.

In a posting updated Thursday at the Windows Live Help forum and also posted at the Windows Live blog, Microsoft said it removed the feature after finding an "incompatibility with Internet Explorer that caused a security flaw with photo uploads ... The Hotmail team takes security very seriously and we expect to bring back the photo upload feature by the end of September."

The Attach Photo feature relies on an ActiveX control, a Microsoft spokeswoman confirmed in a follow-up e-mail.

ActiveX is a plug-in technology for building Web components designed by Microsoft. While theoretically a boon for Web programmers, ActiveX has been heavily criticized by security pros, including the U.S. government's Computer Emergency Readiness Team (CERT), for the many threats it enables.

The spokeswoman declined to elaborate on the security flaw because it "might compromise the security of our services."

Ben Greenbaum, a senior research manager for Symantec Corp., declined to criticize the ActiveX technology itself, as the security vendor has done in the past. And he applauded Microsoft's decision to take down the feature until the security hole is fixed.

"Attackers are focusing on vulnerabilities in popular websites in order to reach as wide an audience as possible with their attacks, and leveraging such a popular site as an attack vector would be a huge victory for any online criminal," Greenbaum wrote in an e-mail. "Disabling the vulnerable functionality until a proper solution can be put in place is absolutely the right thing to do."

While popular, the Attach Photo feature has been hit by several problems in the past several years.

In October 2007, users at the Microsoft Developer Network (MSDN) forums complained about being blocked from using Attach Photo due to Internet Explorer 7's security settings.

In May 2008, a poster at Mozilla Firefox's support forum complained about the feature being disabled. This was echoed by a poster at Windows Live Help in March this year.

In reply, a Microsoft representative posted that the Attach Photo feature was incompatible with the 64-bit version of Windows Vista.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Microsoftactivexhotmailexploits and vulnerabilities

More about CERT AustraliaetworkMicrosoftMozillaSymantecWindows Live

Show Comments
[]