News: Security flaw in email programs - NY Times 7/29/98

News (
Wed, 29 Jul 1998 11:03:35 -0400

July 29, 1998, New York Times

        Security Flaw Discovered in E-Mail Programs


            SAN FRANCISCO -- A serious security flaw has been
            discovered in popular e-mail programs published by
        Microsoft Corp. and Netscape Communications Corp. that
        would permit a malicious person to send a message containing
        a virus that could crash a computer, destroy or even steal data. 

        So far, security tests have shown that the flaw exists in three of
        the four most popular e-mail programs, used by perhaps tens of
        millions of people around the world: Microsoft's Outlook
        Express and Outlook 98 and Netscape's Web browser,
        Navigator, which is part of its Communicator suite of Internet

        While Microsoft is already providing fixes, the flaw is
        particularly worrisome in the Microsoft Outlook 98 program,
        which combines e-mail with a schedular, contact list, notes and
        other tasks, because this software allows an illicit program
        attached to a piece of e-mail to execute without any activity on
        the part of the person using the target computer. Most computer
        viruses can only infect a machine when the user opens an
        infected file or attempts to run an infected program. 

        What is more, Microsoft admitted on Tuesday that the first fix
        that was offered on the company's Web site, on Monday, does
        not repair the problem. Anyone who downloaded and installed
        that fix will have to return to the Web site and download and
        install the new version. 

        Microsoft reported on Tuesday that users of its Outlook
        Express program, the e-mail software supplied with Windows
        95 and Windows 98, would have to open an infected
        attachment before a malicious program could be executed. 

        Netscape officials said on Tuesday that a user of their
        Communicator program would also have to open a file before
        a virus could activate. The extra danger of the Outlook 98
        program is that it allows a malicious e-mail attachment to
        execute at the moment the e-mail message arrives at the

        Microsoft officials said that the flaw was present in versions
        of the Outlook Express shipped with Microsoft Internet
        Explorer 4.0 or 4.01 on Windows 98, Windows 95, Windows
        NT 4.0 and Windows NT for DEC Alpha, as well as in
        versions for Macintosh and UNIX machines. 

        Windows 3.1 and Windows NT 3.51 versions of Internet
        Explorer are not affected. 

        In all, Microsoft said on Tuesday that it had distributed about 2
        million copies of the more seriously flawed Outlook 98
        program and at least a million copies of Outlook Express. 

        Netscape could only report that 70 million copies of its
        Navigator/Communicator software had been downloaded, but
        the company could not determine how many people used the
        browser's built-in e-mail software. Many people use separate,
        more sophisticated programs than those that are shipped with

        The most popular of these is Eudora, a mail program published
        by the Qualcomm Corp. Security researchers said that Eudora
        was not vulnerable to the problem. 

        Although there is no evidence yet that any computer virus has
        been distributed that exploits this newly discovered
        vulnerability, security experts say that since word of the flaw
        leaked on the Internet over the weekend, virus makers are
        undoubtedly already aware of it and will work quickly to take
        advantage of it. 

        As of Tuesday, Microsoft was already providing "patches,"
        small programs that repair the flaw in e-mail programs in
        question for its Windows and NT operating system. The
        company said that fixes for Macintosh and Unix computers
        would be forthcoming. 

        Microsoft officials said that the company's software
        development group was attempting to determine how the
        flawed code made it into their software. 

        Netscape officials posted a notice about the problem on their
        Web site on Tuesday, noting that the flaw only affects the
        Windows and Windows NT versions of Navigator, not those
        distributed for Macintosh or UNIX machines. The company
        said it would post a patch for its Windows and NT versions
        within two weeks. Neither company currently has any plans to
        notify users of the danger and the availability of patches other
        than the notices on the Internet. 

        The Microsoft patches are available at As of Tuesday, none of the
        virus detection programs were yet offering protection from --
        or even detection of -- malicious e-mail attachments designed
        to exploit the flaw. Officials at Symantec Corp.said that they
        were now exploring how they might add new functions to their
        software to detect this type of virus, but they said they would
        not be able to offer any protection in the near term. 

        Corporate users of electronic mail typically have their e-mail
        programs configured to check for mail every 10 minutes or so
        while on line and then automatically download any new
        messages to the computer's hard drive. 

        Security experts said they were astounded that both companies
        had distributed software containing a well-known type of
        program-design error. The code that resulted in the flaw has
        been a widely documented problem for more than 30 years. 

        "I'm appalled that a flaw like this would be in recently written
        software, given what we know," said Eugene Spafford,
        director of the Center for Education and Research in
        Information Assurance and Security at Purdue University. 

        Several security specialists attributed the flaw to heated
        competition between Microsoft and Netscape for domination
        of the Internet market. Both companies have been rushing
        programs to market in record times, giving them away for free
        and largely turning millions of Internet users into a massive
        audience of software testers. 

        A number of computer security researchers also said that
        because the program had been so widely disseminated on
        commercial CD-ROMs, as part of the Windows operating
        system and over the Internet, closing the hole might prove to be
        a particularly vexing task. 

        Last week, security experts who have been aware of the
        problem for several weeks began talking openly about the
        possibility of forcing the software publishers to issue a general
        recall of their software because of the potential danger. The
        Federal Trade Commission, the government agency
        responsible for such recalls, has never recalled software and
        does not have a policy for doing so. 

        "What we need is to begin to treat computer security issues
        with as much fervor as we treat a medical issue or a financial
        issue, said Russ Cooper, a software security expert and the
        moderator of a mailing list that deals with Microsoft software
        bugs. "To do this we need a mechanism for software recalls.
        Microsoft needs to recall all Windows 98 CDs and all CDs
        produced with the affected versions of Outlook Express and
        Outlook 98, and Netscape needs to recall all the affected
        version of their Communicator suite." 

        Microsoft executives said that the company had begun putting
        into place user protection mechanisms that would make
        software recalls unnecessary. For example, beginning with its
        Windows 98 program, Microsoft added a Windows Update
        feature that notifies users if their software is not up-to-date. 

        To use the feature, however, the users have to press the Start
        button, followed by Settings, followed by Windows Update.
        What is more, as of tonight, the automatic update feature
        offered a patch for the Outlook Express problem but did not
        even mention the far more serious Outlook 98 flaw. 


* Peace Through Reason - - Convert the War Machines! *