Microsoft disabled a part of its MSN website as it contained a cross-site scripting flaw which allowed attackers to obtain passwords from Hotmail users by getting them to click on a malicious link.
Hotmail customers are no longer at risk, according to Microsoft. "The 'I Love Messenger' Web site has been disabled," the company representative said in an e-mail statement. The site, which hosts emoticons, display pictures and backgrounds for MSN Messenger, Microsoft's free instant messaging service, will be restored once the issue has been resolved, the company said. On Monday afternoon PT, the I Love Messenger Web address was redirecting users to the main MSN Messenger Web site.
The security flaw was found at http://ilovemessenger.msn.com. More info at CNET