Flaw confirmed in 3 e-mail programs
BY DAVID L. WILSON
Mercury News Staff Writer
http://www.mercurycenter.com/business/top/001482.htm
The U.S. Energy Department's computer security team confirmed Tuesday
that a significant security flaw exists in three of the most popular
e-mail programs around that could have catastrophic consequences and
urged users to repair or replace the software.
Corporate technology managers spent Tuesday frantically scrambling
for more information about the flaw, which was first reported in the
Mercury News. Software companies initially provided little additional
technical information about the problem and no real fixes. Microsoft
Corp., for example, offered patches that were determined to be
ineffective and were subsequently withdrawn.
The flaw, which allows an outsider to send a booby-trapped e-mail
message that is capable of executing commands on the user's computer
-- such as erasing the hard drive -- exists in some of the most
popular software in the world: Microsoft Corp.'s Outlook Express and
Outlook 98, and Netscape Communications Corp.'s Messenger Mail, which
accompanies versions 4.x of the Communicator Web browser software.
Other e-mail readers may be affected, but most researchers now
believe that another commonly used program, Qualcomm Corp.'s Eudora,
is safe. The flaw can be exploited on the most common computer
operating systems.
The Computer Incident Advisory Capability, the Energy Department's
team, headquartered at the Lawrence Livermore National Laboratory,
declared in an emergency bulletin that the situation extremely
serious: ``We base this assessment on the ease with which the
ulnerability can be exploited, the widespread use of the vulnerable
e-mail/news readers and the potential for doing serious damage to a
computer.''
Microsoft attempted to post patches for the hole in its products
Monday, but technical problems kept most users from getting to them.
Then the company discovered that the first set of patches didn't
work. Anybody who downloaded the first set of patches is urged by the
company to download them again, probably later this week.
Alternatively, users can download a free copy of Eudora Light until a
patched version of their favorite e-mail program is available.
Some users believed the story was incorrect because it is so similar
to a well-known Internet hoax called the Good Times virus. Typically,
a user gets an e-mail warning them to delete any e-mail with the
subject ``Good Times'' because, if opened, the Good Times e-mail will
reformat the hard drive. The warning message urges the recipient to
``send this to all your friends,'' creating a flood of unnecessary
e-mail, chewing up system resources, and annoying computer system
administrators who must inform users that e-mail is perfectly safe
unless you open up an attachment.
Until this latest flaw was uncovered, that was generally true.
``The really bad thing is that now I'll have a bunch of users who
previously sent me the Good Times Virus warning going `I told you
so,'' laughed Joe Indresaro, a senior system administrator at E-mu
Systems Inc. in Scotts Valley. He's installing whatever patches are
available, as are many other system administrators.
Normally, e-mail alone can't do any damage to a system. But attackers
can attach a file that's essentially a program to an e-mail message.
If a user runs that program, it could do damage to the system.
But this latest flaw can be triggered in some cases without even
opening the booby-trapped e-mail.
The problem can be exploited by assigning an exceptionally long file
name -- sometimes hundreds of characters -- to an attachment. If the
name is too long, it will overflow the e-mail program's buffer. At
that point, any software code contained in that overflow can
sometimes execute commands on the user's computer.
The problem is related to MIME capabilities, or Multipurpose Internet
Mail Extensions, which let e-mailers work with items besides text.
MIME headers tell the e-mail software how to treat the file. Older
e-mail software that is not MIME-compliant is not vulnerable to the
hole.
While no one believes this flaw has been exploited outside the
laboratories where it's been researched for the past month, experts
are urging users and computer system administrators to repair their
systems as quickly as possible, on the assumption that ``black hat''
hackers will soon be exploiting the problem.
``I'm just scared that somebody is going to spam the world with this.
Soon.'' said William J. Orvis, a security specialist with CIAC.
Computer system administrators around the world are studying the
situation, trying to see what needs to be done.
``We don't normally comment on our internal systems, for security
reasons,'' said Lew Wagner, senior manager of the corporate
information security department at networking giant Cisco Systems
Inc. Wagner, however, said the standard e-mail package used inside
Cisco is not affected by the problem, adding there could be some
people within the organization who are using something else.
``We're trying to make sure our 14,000 employees are not using any
unauthorized applications,'' he said.
===========================================================================
Barbara Patterson [log in to unmask]
HSC 2J22 905-525-9140, ext. 22403
School of Nursing
===========================================================================
