Flaw confirmed in 3 e-mail programs BY DAVID L. WILSON Mercury News Staff Writer http://www.mercurycenter.com/business/top/001482.htm The U.S. Energy Department's computer security team confirmed Tuesday that a significant security flaw exists in three of the most popular e-mail programs around that could have catastrophic consequences and urged users to repair or replace the software. Corporate technology managers spent Tuesday frantically scrambling for more information about the flaw, which was first reported in the Mercury News. Software companies initially provided little additional technical information about the problem and no real fixes. Microsoft Corp., for example, offered patches that were determined to be ineffective and were subsequently withdrawn. The flaw, which allows an outsider to send a booby-trapped e-mail message that is capable of executing commands on the user's computer -- such as erasing the hard drive -- exists in some of the most popular software in the world: Microsoft Corp.'s Outlook Express and Outlook 98, and Netscape Communications Corp.'s Messenger Mail, which accompanies versions 4.x of the Communicator Web browser software. Other e-mail readers may be affected, but most researchers now believe that another commonly used program, Qualcomm Corp.'s Eudora, is safe. The flaw can be exploited on the most common computer operating systems. The Computer Incident Advisory Capability, the Energy Department's team, headquartered at the Lawrence Livermore National Laboratory, declared in an emergency bulletin that the situation extremely serious: ``We base this assessment on the ease with which the ulnerability can be exploited, the widespread use of the vulnerable e-mail/news readers and the potential for doing serious damage to a computer.'' Microsoft attempted to post patches for the hole in its products Monday, but technical problems kept most users from getting to them. Then the company discovered that the first set of patches didn't work. Anybody who downloaded the first set of patches is urged by the company to download them again, probably later this week. Alternatively, users can download a free copy of Eudora Light until a patched version of their favorite e-mail program is available. Some users believed the story was incorrect because it is so similar to a well-known Internet hoax called the Good Times virus. Typically, a user gets an e-mail warning them to delete any e-mail with the subject ``Good Times'' because, if opened, the Good Times e-mail will reformat the hard drive. The warning message urges the recipient to ``send this to all your friends,'' creating a flood of unnecessary e-mail, chewing up system resources, and annoying computer system administrators who must inform users that e-mail is perfectly safe unless you open up an attachment. Until this latest flaw was uncovered, that was generally true. ``The really bad thing is that now I'll have a bunch of users who previously sent me the Good Times Virus warning going `I told you so,'' laughed Joe Indresaro, a senior system administrator at E-mu Systems Inc. in Scotts Valley. He's installing whatever patches are available, as are many other system administrators. Normally, e-mail alone can't do any damage to a system. But attackers can attach a file that's essentially a program to an e-mail message. If a user runs that program, it could do damage to the system. But this latest flaw can be triggered in some cases without even opening the booby-trapped e-mail. The problem can be exploited by assigning an exceptionally long file name -- sometimes hundreds of characters -- to an attachment. If the name is too long, it will overflow the e-mail program's buffer. At that point, any software code contained in that overflow can sometimes execute commands on the user's computer. The problem is related to MIME capabilities, or Multipurpose Internet Mail Extensions, which let e-mailers work with items besides text. MIME headers tell the e-mail software how to treat the file. Older e-mail software that is not MIME-compliant is not vulnerable to the hole. While no one believes this flaw has been exploited outside the laboratories where it's been researched for the past month, experts are urging users and computer system administrators to repair their systems as quickly as possible, on the assumption that ``black hat'' hackers will soon be exploiting the problem. ``I'm just scared that somebody is going to spam the world with this. Soon.'' said William J. Orvis, a security specialist with CIAC. Computer system administrators around the world are studying the situation, trying to see what needs to be done. ``We don't normally comment on our internal systems, for security reasons,'' said Lew Wagner, senior manager of the corporate information security department at networking giant Cisco Systems Inc. Wagner, however, said the standard e-mail package used inside Cisco is not affected by the problem, adding there could be some people within the organization who are using something else. ``We're trying to make sure our 14,000 employees are not using any unauthorized applications,'' he said. =========================================================================== Barbara Patterson [log in to unmask] HSC 2J22 905-525-9140, ext. 22403 School of Nursing ===========================================================================