Both Hotmail and Yahoo make tremendous efforts to sanitize incoming emails from potentially unsafe HTML content. Flawed filtering of such unsafe content may result in severe consequences that would occur as soon as a user opens an email for reading, including: Theft of login and password. Content disclosure of any email in the mailbox. Automatically send emails from the mailbox. Exploitation of known vulnerabilities in the browser to access the user's file system and eventually take over the machine. Distribution of a web-based email worm. Disclosure of all contacts within the address book.
and
QUOTE
GreyMagic devised a method to inject such arbitrary (potentially malicious) content to a Yahoo or Hotmail email message. The method is not limited to Hotmail and Yahoo alone though, it may apply to other web-based services that attempt to filter HTML input. The vulnerability makes use of an Internet Explorer technology called HTML+TIME (based on SMIL), which is meant to add timing and media synchronization support to HTML pages. One of the features included in HTML+TIME is the ability to manipulate any attribute on an element via special control elements. For example, the <t:set> element exposes the attributes "attributeName" and "to", which make it possible to inject ANY HTML content to the document when "attributeName" is set to "innerHTML" and "to" is set to any HTML the attacker would like to execute, including script.
