Security hole discovered in Microsoft's e-mail

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread

Security hole discovered in Microsoft's e-mail program

Source: AP|Published: Wednesday July 19, 12:56 AM

Washington: Two independent researchers have discovered a new way to include malicious code inside Microsoft Outlook e-mail, making it much easier for a hacker to control another person's computer, according to the software company.

'Clearly this is a serious vulnerability,' Scott ', Microsoft's security program manager said in a telephone interview today from company headquarters in Redmond, Washington.

He said the company would soon make available software that users can download to fix the problem. In the meantime, Microsoft was preparing a security bulletin to post on the Internet.

Unlike other viruses, or 'worms,' the e-mail user isn't required to click on an attachment or read, preview or forward the e-mail to activate the virus. Simply downloading one's e-mail is enough to activate the code.

According to the researchers, there is a way for a malicious hacker to hide software code in an e-mail's time and date stamp through a 'buffer overflow' - extra letters and numbers that trigger an error in the computer. After those letters and numbers, the hacker can include software code that the computer will recognise as legitimate instructions as if they were typed by the victim.

'From there, I could do anything that I would normally be able to do on my computer,' said Russ Cooper, security expert and editor of the online mailing list NTBugTraq. There are 'no limitations' on what a hacker could do, he said, from deleting all the files on the computer's hard drive, to getting knocked off the Internet.

Australian Aaron Drew posted his findings today to the NTBugTraq mailing list, complete with example code. Cooper said that USSR Labs of South America, an Internet security company, also found the exploit.

Microsoft said USSR Labs notified the company on July 1. It is common practice to refrain from announcing a vulnerability until a fix is available.

So far, researchers have simply demonstrated that the vulnerability exists and it is not known how dangerous it could be, Cooper said.

'It remains to be seen how important a problem it is, because it depends on whether bad guys do bad things with this information,' he said.

Corporate users aren't affected by the security hole. But home users, running Microsoft's Outlook or Outlook Express e-mail programs, are at risk. But even with the target base reduced, there are still plenty of targets. Outlook Express comes bundled with Microsoft's Internet Explorer browser, which is the most popular Internet browser in use.

Since simply downloading the e-mail triggers the problem, normal 'safe computing' practices may be ineffective in dealing with this new threat.

Microsoft's Culp said the problem component is actually in Internet Explorer, and the company suggests that users upgrade to Internet Explorer version 5.01 Service Pack 1, which can be found free on Microsoft's Web site. That version is not vulnerable to this problem. Internet Explorer 5.5 is also safe for all users except for people running the Windows 2000 operating system. Those users should also get IE 5.01 SP1

http://www.smh.com.au/breaking/0007/19/A16705-2000Jul19.shtml

-- Martin Thompson (mthom1927@aol.com), July 18, 2000


Moderation questions? read the FAQ