News: Security flaw in email programs - NY Times 7/29/98
News (prop1@prop1.org)
Wed, 29 Jul 1998 11:03:35 -0400
July 29, 1998, New York Times
Security Flaw Discovered in E-Mail Programs
By JOHN MARKOFF
SAN FRANCISCO -- A serious security flaw has been
discovered in popular e-mail programs published by
Microsoft Corp. and Netscape Communications Corp. that
would permit a malicious person to send a message containing
a virus that could crash a computer, destroy or even steal data.
So far, security tests have shown that the flaw exists in three of
the four most popular e-mail programs, used by perhaps tens of
millions of people around the world: Microsoft's Outlook
Express and Outlook 98 and Netscape's Web browser,
Navigator, which is part of its Communicator suite of Internet
programs.
While Microsoft is already providing fixes, the flaw is
particularly worrisome in the Microsoft Outlook 98 program,
which combines e-mail with a schedular, contact list, notes and
other tasks, because this software allows an illicit program
attached to a piece of e-mail to execute without any activity on
the part of the person using the target computer. Most computer
viruses can only infect a machine when the user opens an
infected file or attempts to run an infected program.
What is more, Microsoft admitted on Tuesday that the first fix
that was offered on the company's Web site, on Monday, does
not repair the problem. Anyone who downloaded and installed
that fix will have to return to the Web site and download and
install the new version.
Microsoft reported on Tuesday that users of its Outlook
Express program, the e-mail software supplied with Windows
95 and Windows 98, would have to open an infected
attachment before a malicious program could be executed.
Netscape officials said on Tuesday that a user of their
Communicator program would also have to open a file before
a virus could activate. The extra danger of the Outlook 98
program is that it allows a malicious e-mail attachment to
execute at the moment the e-mail message arrives at the
computer.
Microsoft officials said that the flaw was present in versions
of the Outlook Express shipped with Microsoft Internet
Explorer 4.0 or 4.01 on Windows 98, Windows 95, Windows
NT 4.0 and Windows NT for DEC Alpha, as well as in
versions for Macintosh and UNIX machines.
Windows 3.1 and Windows NT 3.51 versions of Internet
Explorer are not affected.
In all, Microsoft said on Tuesday that it had distributed about 2
million copies of the more seriously flawed Outlook 98
program and at least a million copies of Outlook Express.
Netscape could only report that 70 million copies of its
Navigator/Communicator software had been downloaded, but
the company could not determine how many people used the
browser's built-in e-mail software. Many people use separate,
more sophisticated programs than those that are shipped with
browsers.
The most popular of these is Eudora, a mail program published
by the Qualcomm Corp. Security researchers said that Eudora
was not vulnerable to the problem.
Although there is no evidence yet that any computer virus has
been distributed that exploits this newly discovered
vulnerability, security experts say that since word of the flaw
leaked on the Internet over the weekend, virus makers are
undoubtedly already aware of it and will work quickly to take
advantage of it.
As of Tuesday, Microsoft was already providing "patches,"
small programs that repair the flaw in e-mail programs in
question for its Windows and NT operating system. The
company said that fixes for Macintosh and Unix computers
would be forthcoming.
Microsoft officials said that the company's software
development group was attempting to determine how the
flawed code made it into their software.
Netscape officials posted a notice about the problem on their
Web site on Tuesday, noting that the flaw only affects the
Windows and Windows NT versions of Navigator, not those
distributed for Macintosh or UNIX machines. The company
said it would post a patch for its Windows and NT versions
within two weeks. Neither company currently has any plans to
notify users of the danger and the availability of patches other
than the notices on the Internet.
The Microsoft patches are available at
www.microsoft.com/ie/security. As of Tuesday, none of the
virus detection programs were yet offering protection from --
or even detection of -- malicious e-mail attachments designed
to exploit the flaw. Officials at Symantec Corp.said that they
were now exploring how they might add new functions to their
software to detect this type of virus, but they said they would
not be able to offer any protection in the near term.
Corporate users of electronic mail typically have their e-mail
programs configured to check for mail every 10 minutes or so
while on line and then automatically download any new
messages to the computer's hard drive.
Security experts said they were astounded that both companies
had distributed software containing a well-known type of
program-design error. The code that resulted in the flaw has
been a widely documented problem for more than 30 years.
"I'm appalled that a flaw like this would be in recently written
software, given what we know," said Eugene Spafford,
director of the Center for Education and Research in
Information Assurance and Security at Purdue University.
Several security specialists attributed the flaw to heated
competition between Microsoft and Netscape for domination
of the Internet market. Both companies have been rushing
programs to market in record times, giving them away for free
and largely turning millions of Internet users into a massive
audience of software testers.
A number of computer security researchers also said that
because the program had been so widely disseminated on
commercial CD-ROMs, as part of the Windows operating
system and over the Internet, closing the hole might prove to be
a particularly vexing task.
Last week, security experts who have been aware of the
problem for several weeks began talking openly about the
possibility of forcing the software publishers to issue a general
recall of their software because of the potential danger. The
Federal Trade Commission, the government agency
responsible for such recalls, has never recalled software and
does not have a policy for doing so.
"What we need is to begin to treat computer security issues
with as much fervor as we treat a medical issue or a financial
issue, said Russ Cooper, a software security expert and the
moderator of a mailing list that deals with Microsoft software
bugs. "To do this we need a mechanism for software recalls.
Microsoft needs to recall all Windows 98 CDs and all CDs
produced with the affected versions of Outlook Express and
Outlook 98, and Netscape needs to recall all the affected
version of their Communicator suite."
Microsoft executives said that the company had begun putting
into place user protection mechanisms that would make
software recalls unnecessary. For example, beginning with its
Windows 98 program, Microsoft added a Windows Update
feature that notifies users if their software is not up-to-date.
To use the feature, however, the users have to press the Start
button, followed by Settings, followed by Windows Update.
What is more, as of tonight, the automatic update feature
offered a patch for the Outlook Express problem but did not
even mention the far more serious Outlook 98 flaw.
_______________________________________________________________________
* Peace Through Reason - http://prop1.org - Convert the War Machines! *
_______________________________________________________________________