Security hole discovered in Microsoft's e-mail program
Source: AP|Published: Wednesday July 19, 12:56 AM
Washington: Two independent researchers have discovered a new way to
include malicious code inside Microsoft Outlook e-mail, making it much
easier for a hacker to control another person's computer, according to the
software company.
'Clearly this is a serious vulnerability,' Scott ', Microsoft's security
program manager said in a telephone interview today from company
headquarters in Redmond, Washington.
He said the company would soon make available software that users can
download to fix the problem. In the meantime, Microsoft was preparing a
security bulletin to post on the Internet.
Unlike other viruses, or 'worms,' the e-mail user isn't required to click
on an attachment or read, preview or forward the e-mail to activate the
virus. Simply downloading one's e-mail is enough to activate the code.
According to the researchers, there is a way for a malicious hacker to hide
software code in an e-mail's time and date stamp through a 'buffer
overflow' - extra letters and numbers that trigger an error in the
computer. After those letters and numbers, the hacker can include software
code that the computer will recognise as legitimate instructions as if they
were typed by the victim.
'From there, I could do anything that I would normally be able to do on my
computer,' said Russ Cooper, security expert and editor of the online
mailing list NTBugTraq. There are 'no limitations' on what a hacker could
do, he said, from deleting all the files on the computer's hard drive, to
getting knocked off the Internet.
Australian Aaron Drew posted his findings today to the NTBugTraq mailing
list, complete with example code. Cooper said that USSR Labs of South
America, an Internet security company, also found the exploit.
Microsoft said USSR Labs notified the company on July 1. It is common
practice to refrain from announcing a vulnerability until a fix is available.
So far, researchers have simply demonstrated that the vulnerability exists
and it is not known how dangerous it could be, Cooper said.
'It remains to be seen how important a problem it is, because it depends on
whether bad guys do bad things with this information,' he said.
Corporate users aren't affected by the security hole. But home users,
running Microsoft's Outlook or Outlook Express e-mail programs, are at
risk. But even with the target base reduced, there are still plenty of
targets. Outlook Express comes bundled with Microsoft's Internet Explorer
browser, which is the most popular Internet browser in use.
Since simply downloading the e-mail triggers the problem, normal 'safe
computing' practices may be ineffective in dealing with this new threat.
Microsoft's Culp said the problem component is actually in Internet
Explorer, and the company suggests that users upgrade to Internet Explorer
version 5.01 Service Pack 1, which can be found free on Microsoft's Web
site. That version is not vulnerable to this problem. Internet Explorer 5.5
is also safe for all users except for people running the Windows 2000
operating system. Those users should also get IE 5.01 SP1.
*****************************
P-I-E-N-O's
If you are not using IE5 that has been patched with the Service Pack 1,
click on Tools and select Windows Updates. Download the service pack and
install. When the results screen button called 'show installed updates' is
clicked, your update record will be shown at the right of each update when
they are installed.
Thus far, Netscape browsers have not been attacked as much as Microsoft's
Internet Explorer and Outlook Express.
You should if possible read your Parkinsn mail at P-I-E-N-O because no
viruses can be transmitted using this delivery method.
http://parkinsons-information-exchange-network-online.com
Click on the link to Parkinsn's List Online.
[log in to unmask] Search the parkinsn archive online at:
http://james.parkinsons.org.uk
Catch the Parkinsn's List Online messages at:
http://www.parkinsons-information-exchange-network-online.com
Click the navigation ads and use the new search tools
John Cottingham
