Malicious code can sneak in through e-mail

Security holes newly discovered in leading e-mail clients and browsers are hazardous
because they are easy to exploit and affect many users.

When Microsoft Outlook 98, Microsoft Outlook Express and Netscape Mail clients receive
mail attachments with filenames that exceed 256 characters, they let the attachments dump
possibly malicious code into computer memory.

The Secure Programming Group at Oulu University in Finland reported the security flaw
in June.

The result might be an application or system crash. But if a hacker has placed an
executable command within the long filename, it conceivably could open up a path into
other networked computers that have full user privileges.

An e-mail recipient need not open a file attachment to cause the execution of malicious
code. Simply doing file management, examining file properties or keeping an e-mail preview
pane open can activate any malicious code.

Microsoft Corp. combated a similar bug earlier this year in its Internet Explorer
browser. The bug occurred when uniform resource locators were more than 256 characters
long. The danger was identical, but the method of attack differed.

In both cases, the culprit is overflow, a common mode of attack. The new bug is the
first time that an overflow technique has affected e-mail security, however.

Microsoft has posted a fix on its Web site at The patch
will close the security hole in Outlook 98 and Outlook Express 4.x running under Windows
9x, Windows NT, SunSoft Solaris and Apple Mac OS. Outlook 97 and Outlook Express for
Windows 3.x do not have the problem.

Netscape Communications Corp. is working on a fix that the company said would be ready
by midmonth. Users of the mail and news components of Netscape Communicator versions 4.0
through 4.05 and Netscape Communicator 4.5 Preview Release 1 running under Windows 3.x,
Win9x and NT will need the patch. Netscape officials said the vulnerability does not
affect Communicator running under Mac OS or Unix.

For information about how to avoid problems until the Netscape patch is ready, visit

Qualcomm Inc. of San Diego said its Eudora mail products are not susceptible to
long-filename attacks. Check out
for more information.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected