[ISN] E-Mail Security Flaw Found

From: mea culpa (jerichoat_private)
Date: Mon Aug 03 1998 - 14:15:27 PDT

  • Next message: mea culpa: "[ISN] NSA Losing Crypto Experts"

    [Moderator: There were several articles on this sent in. If you want more 
     info, most of the big news sites have something on it.]
    E-Mail Security Flaw Found 
    SEATTLE (AP)  Computer security experts have reportedly identified a flaw
    in three widely used e-mail programs made by Microsoft and Netscape that
    could allow Internet-based attacks.
    Though no attacks have been reported, experts worry that millions of
    people will need to upgrade their software to remain safe from
    unscrupulous hackers who know about the loophole.
    The flaw allows any outsider to send a booby-trapped message that could,
    among other things, erase a computer's hard drive.
    ``This is something that goes right to the soft, chewy inside of your
    computer,'' computer consultant Russ Cooper of Lindsey, Ontario, told The
    San Diego Union-Tribune in a story Tuesday. 
    Most e-mailed attacks involve attachments to e-mail and are harmless
    unless the user runs the attached program. The new flaw, however, cannot
    be so easily avoided. In some test cases, simply trying to delete e-mail
    activated the attack. 
    The attacks cannot be guarded against with firewalls or anti-viral
    software, the two most widely used security methods. 
    Finnish researchers discovered the problem last month. Since then, tests
    have shown its presence in Microsoft Corp.'s Outlook Express and Outlook
    98, and Netscape Communications Corp.'s current Web browser, Communicator.
    Researchers are also checking other programs. 
    Both Netscape and Microsoft were informed of the problem. Microsoft has
    devised a software patch that is now available at its Web site. 
    Netscape's patch is expected soon at its Web site.
    ``We're definitely not taking this lightly,'' Microsoft group product
    manager George Meng told the San Jose Mercury News. ``There definitely is
    a scenario in which someone could do damage to people's systems.''
    The flaw exists on any type of Windows machine, from 3.1 to NT and on
    computers running Sun Microsystem Inc.'s Solaris operating system, as well
    as computers made by Apple Computer Inc. 
    The Microsoft list of computers at risk includes UNIX systems using
    Outlook Express 4.0.
    ``My concern is that this is going to develop into more of a problem as
    time goes on, as people miss the original warning or forget about it, and
    then people start exploiting it,'' said Eugene H. Spafford, director of
    the Center for Education and Research in Information Assurance and
    Security at Purdue University.
    ``People just don't take security seriously,'' Spafford told the Mercury
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:02 PDT