Hotmail and SAFER bug

So we’ve found a small bug in Hotmail when using the SAFER/IE stuff (big thanks to Kody Dickerson to alerting me.) Turns out Hotmail will hang when you start it up if you have Hotmail running under a SAFER context, and MSN messenger running as the “normal you”.

The issue is a COM object trying to register under a different account, and in this case, the restricted token behaves like another account.

There’s a COM object used within Hotmail to determine which of your MSN buddies is online.

If you start Messenger, and then start Hotmail in IE, IE will hang for about 3 minutes.

The work around is to exit Messenger and then open Hotmail. After you sign-in to Hotmail, it will launch messenger and the integration should work just fine!

Comments (3)

  1. Thanks for finding that, Mike!

    Just for giggles, I set up MSN Messenger to run as a Basic User using the SAFER registry settings. It appears to work like a charm, and since both IE and Messenger are running at the same privilege level, the COM conflict you mentioned doesn’t seem to manifest itself. Just a thought 🙂

  2. dan says:

    Wouldn’t it be better to simply run messenger under the safer context? Especially given vulnerabilities seen in messenger clients.

    I’ve never tried it since I always run as LUA :), but it may be worth a shot.

  3. Michael Howard says:

    yeah, you can run Messenger as Basic User too, and that works as well…