CVE-1999-0750 in Hotmail
Summary
by MITRE
Hotmail allows Javascript to be executed via the HTML STYLE tag, allowing remote attackers to execute commands on the user's Hotmail account.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/19/2026
This vulnerability resides in the Hotmail web email service and represents a critical cross-site scripting flaw that exploited the HTML style tag to execute malicious javascript code within user sessions. The vulnerability specifically targeted the email client's handling of inline style attributes that contained javascript code, allowing attackers to inject executable scripts that would run in the context of the user's browser session. This represents a classic case of insufficient input sanitization where the application failed to properly validate or escape user-supplied content before rendering it in the browser. The flaw was particularly dangerous because it leveraged the widely used HTML style attribute which is commonly accepted in email formatting and web content, making it an ideal vector for exploitation. The vulnerability falls under CWE-79 which describes improper neutralization of input during web page generation, specifically targeting the execution of malicious scripts in the user's browser context. From an operational perspective, this vulnerability allowed remote attackers to execute arbitrary commands on users' Hotmail accounts by simply sending specially crafted emails containing malicious javascript within style tags. The attack could potentially lead to account takeover, data theft, session hijacking, and other malicious activities that compromised user confidentiality and integrity. The impact extended beyond individual user accounts to potentially affect the broader Hotmail service ecosystem, as successful exploitation could enable attackers to harvest credentials, access sensitive communications, and conduct further reconnaissance or lateral movement within compromised user environments.
The technical implementation of this vulnerability exploited the way Hotmail processed HTML content, particularly how it handled inline styles that contained javascript code. When users received emails with malicious content, the email client would render the HTML without proper sanitization, executing the javascript code within the context of the user's session. This created a persistent threat where even after the initial email was read, the malicious code could continue to execute and potentially establish backdoors or exfiltrate data. The attack vector was particularly insidious because it required no user interaction beyond simply opening the email, making it an ideal candidate for automated mass attacks. The vulnerability exploited the trust users placed in email content, as the malicious javascript was embedded within what appeared to be legitimate email formatting. This type of attack maps to ATT&CK technique T1566 which covers social engineering tactics, specifically targeting email-based attacks that leverage user trust and the expectation of safe content rendering.
Mitigation strategies for this vulnerability required immediate implementation of robust HTML sanitization and content filtering mechanisms. The primary solution involved developing strict input validation that would identify and neutralize javascript code within HTML style attributes, ensuring that any potentially dangerous content was properly escaped or removed before rendering. Security patches needed to implement comprehensive sanitization routines that could detect and block malicious javascript execution within inline styles, CSS properties, and other HTML attributes. Organizations should have deployed web application firewalls to monitor and filter incoming content, while also implementing strict email security policies that would scan for suspicious patterns in email headers and content. The fix required changes to the email rendering engine to ensure that all user-supplied content was properly escaped and validated before being displayed in the browser context, preventing the execution of any embedded javascript regardless of how it was encoded or obfuscated within the style tag. Additionally, user education regarding suspicious email content and the importance of not opening emails from unknown senders became crucial in mitigating the risk of exploitation.