Malicious code can sneak in through e-mail

Security holes newly discovered in leading e-mail clients and browsers are hazardous
because they are easy to exploit and affect many users.


When Microsoft Outlook 98, Microsoft Outlook Express and Netscape Mail clients receive
mail attachments with filenames that exceed 256 characters, they let the attachments dump
possibly malicious code into computer memory.


The Secure Programming Group at Oulu University in Finland reported the security flaw
in June.


The result might be an application or system crash. But if a hacker has placed an
executable command within the long filename, it conceivably could open up a path into
other networked computers that have full user privileges.


An e-mail recipient need not open a file attachment to cause the execution of malicious
code. Simply doing file management, examining file properties or keeping an e-mail preview
pane open can activate any malicious code.


Microsoft Corp. combated a similar bug earlier this year in its Internet Explorer
browser. The bug occurred when uniform resource locators were more than 256 characters
long. The danger was identical, but the method of attack differed.


In both cases, the culprit is overflow, a common mode of attack. The new bug is the
first time that an overflow technique has affected e-mail security, however.


Microsoft has posted a fix on its Web site at http://www.microsoft.com/security. The patch
will close the security hole in Outlook 98 and Outlook Express 4.x running under Windows
9x, Windows NT, SunSoft Solaris and Apple Mac OS. Outlook 97 and Outlook Express for
Windows 3.x do not have the problem.


Netscape Communications Corp. is working on a fix that the company said would be ready
by midmonth. Users of the mail and news components of Netscape Communicator versions 4.0
through 4.05 and Netscape Communicator 4.5 Preview Release 1 running under Windows 3.x,
Win9x and NT will need the patch. Netscape officials said the vulnerability does not
affect Communicator running under Mac OS or Unix.


For information about how to avoid problems until the Netscape patch is ready, visit http://www.netscape.com/products/security/resources/bugs/longfile.html.


Qualcomm Inc. of San Diego said its Eudora mail products are not susceptible to
long-filename attacks. Check out http://www.eudora.com
for more information.

inside gcn

  • A forward-located Control and Reporting Center. Air Force photo.

    Data security at the tactical edge: Rightsizing solutions

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above