[Moderator: There were several articles on this sent in. If you want more
info, most of the big news sites have something on it.]
E-Mail Security Flaw Found
SEATTLE (AP) Computer security experts have reportedly identified a flaw
in three widely used e-mail programs made by Microsoft and Netscape that
could allow Internet-based attacks.
Though no attacks have been reported, experts worry that millions of
people will need to upgrade their software to remain safe from
unscrupulous hackers who know about the loophole.
The flaw allows any outsider to send a booby-trapped message that could,
among other things, erase a computer's hard drive.
``This is something that goes right to the soft, chewy inside of your
computer,'' computer consultant Russ Cooper of Lindsey, Ontario, told The
San Diego Union-Tribune in a story Tuesday.
Most e-mailed attacks involve attachments to e-mail and are harmless
unless the user runs the attached program. The new flaw, however, cannot
be so easily avoided. In some test cases, simply trying to delete e-mail
activated the attack.
The attacks cannot be guarded against with firewalls or anti-viral
software, the two most widely used security methods.
Finnish researchers discovered the problem last month. Since then, tests
have shown its presence in Microsoft Corp.'s Outlook Express and Outlook
98, and Netscape Communications Corp.'s current Web browser, Communicator.
Researchers are also checking other programs.
Both Netscape and Microsoft were informed of the problem. Microsoft has
devised a software patch that is now available at its Web site.
Netscape's patch is expected soon at its Web site.
``We're definitely not taking this lightly,'' Microsoft group product
manager George Meng told the San Jose Mercury News. ``There definitely is
a scenario in which someone could do damage to people's systems.''
The flaw exists on any type of Windows machine, from 3.1 to NT and on
computers running Sun Microsystem Inc.'s Solaris operating system, as well
as computers made by Apple Computer Inc.
The Microsoft list of computers at risk includes UNIX systems using
Outlook Express 4.0.
``My concern is that this is going to develop into more of a problem as
time goes on, as people miss the original warning or forget about it, and
then people start exploiting it,'' said Eugene H. Spafford, director of
the Center for Education and Research in Information Assurance and
Security at Purdue University.
``People just don't take security seriously,'' Spafford told the Mercury
News.
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]
Received on Wed Aug 5 12:24:50 1998