Security hole discovered in Microsoft's e-mail program Source: AP|Published: Wednesday July 19, 12:56 AM Washington: Two independent researchers have discovered a new way to include malicious code inside Microsoft Outlook e-mail, making it much easier for a hacker to control another person's computer, according to the software company. 'Clearly this is a serious vulnerability,' Scott ', Microsoft's security program manager said in a telephone interview today from company headquarters in Redmond, Washington. He said the company would soon make available software that users can download to fix the problem. In the meantime, Microsoft was preparing a security bulletin to post on the Internet. Unlike other viruses, or 'worms,' the e-mail user isn't required to click on an attachment or read, preview or forward the e-mail to activate the virus. Simply downloading one's e-mail is enough to activate the code. According to the researchers, there is a way for a malicious hacker to hide software code in an e-mail's time and date stamp through a 'buffer overflow' - extra letters and numbers that trigger an error in the computer. After those letters and numbers, the hacker can include software code that the computer will recognise as legitimate instructions as if they were typed by the victim. 'From there, I could do anything that I would normally be able to do on my computer,' said Russ Cooper, security expert and editor of the online mailing list NTBugTraq. There are 'no limitations' on what a hacker could do, he said, from deleting all the files on the computer's hard drive, to getting knocked off the Internet. Australian Aaron Drew posted his findings today to the NTBugTraq mailing list, complete with example code. Cooper said that USSR Labs of South America, an Internet security company, also found the exploit. Microsoft said USSR Labs notified the company on July 1. It is common practice to refrain from announcing a vulnerability until a fix is available. So far, researchers have simply demonstrated that the vulnerability exists and it is not known how dangerous it could be, Cooper said. 'It remains to be seen how important a problem it is, because it depends on whether bad guys do bad things with this information,' he said. Corporate users aren't affected by the security hole. But home users, running Microsoft's Outlook or Outlook Express e-mail programs, are at risk. But even with the target base reduced, there are still plenty of targets. Outlook Express comes bundled with Microsoft's Internet Explorer browser, which is the most popular Internet browser in use. Since simply downloading the e-mail triggers the problem, normal 'safe computing' practices may be ineffective in dealing with this new threat. Microsoft's Culp said the problem component is actually in Internet Explorer, and the company suggests that users upgrade to Internet Explorer version 5.01 Service Pack 1, which can be found free on Microsoft's Web site. That version is not vulnerable to this problem. Internet Explorer 5.5 is also safe for all users except for people running the Windows 2000 operating system. Those users should also get IE 5.01 SP1. ***************************** P-I-E-N-O's If you are not using IE5 that has been patched with the Service Pack 1, click on Tools and select Windows Updates. Download the service pack and install. When the results screen button called 'show installed updates' is clicked, your update record will be shown at the right of each update when they are installed. Thus far, Netscape browsers have not been attacked as much as Microsoft's Internet Explorer and Outlook Express. You should if possible read your Parkinsn mail at P-I-E-N-O because no viruses can be transmitted using this delivery method. http://parkinsons-information-exchange-network-online.com Click on the link to Parkinsn's List Online. [log in to unmask] Search the parkinsn archive online at: http://james.parkinsons.org.uk Catch the Parkinsn's List Online messages at: http://www.parkinsons-information-exchange-network-online.com Click the navigation ads and use the new search tools John Cottingham