Malicious code can sneak in through e-mail

Security holes newly discovered in leading e-mail clients and browsers are hazardous
because they are easy to exploit and affect many users.


When Microsoft Outlook 98, Microsoft Outlook Express and Netscape Mail clients receive
mail attachments with filenames that exceed 256 characters, they let the attachments dump
possibly malicious code into computer memory.


The Secure Programming Group at Oulu University in Finland reported the security flaw
in June.


The result might be an application or system crash. But if a hacker has placed an
executable command within the long filename, it conceivably could open up a path into
other networked computers that have full user privileges.


An e-mail recipient need not open a file attachment to cause the execution of malicious
code. Simply doing file management, examining file properties or keeping an e-mail preview
pane open can activate any malicious code.


Microsoft Corp. combated a similar bug earlier this year in its Internet Explorer
browser. The bug occurred when uniform resource locators were more than 256 characters
long. The danger was identical, but the method of attack differed.


In both cases, the culprit is overflow, a common mode of attack. The new bug is the
first time that an overflow technique has affected e-mail security, however.


Microsoft has posted a fix on its Web site at http://www.microsoft.com/security. The patch
will close the security hole in Outlook 98 and Outlook Express 4.x running under Windows
9x, Windows NT, SunSoft Solaris and Apple Mac OS. Outlook 97 and Outlook Express for
Windows 3.x do not have the problem.


Netscape Communications Corp. is working on a fix that the company said would be ready
by midmonth. Users of the mail and news components of Netscape Communicator versions 4.0
through 4.05 and Netscape Communicator 4.5 Preview Release 1 running under Windows 3.x,
Win9x and NT will need the patch. Netscape officials said the vulnerability does not
affect Communicator running under Mac OS or Unix.


For information about how to avoid problems until the Netscape patch is ready, visit http://www.netscape.com/products/security/resources/bugs/longfile.html.


Qualcomm Inc. of San Diego said its Eudora mail products are not susceptible to
long-filename attacks. Check out http://www.eudora.com
for more information.

Featured

  • senior center (vuqarali/Shutterstock.com)

    Bmore Responsive: Home-grown emergency response coordination 

    Working with the local Code for America brigade, Baltimore’s Health Department built a new contact management system that saves hundreds of hours when checking in on senior care centers during emergencies.

  • man checking phone in the dark (Maridav/Shutterstock.com)

    AI-based ‘listening’ helps VA monitor vets’ mental health

    To better monitor veterans’ mental health, especially during the pandemic, the Department of Veterans Affairs is relying on data and artificial intelligence-based analytics.

Stay Connected