[ISN] Sendmail posts fix for email glitch

From: mea culpa (jerichoat_private)
Date: Thu Aug 13 1998 - 00:31:03 PDT

Next message: mea culpa: "[ISN] Upcoming security Conferences...."

Previous message: mea culpa: "[ISN] U.S. Still not prepared for cybercrime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded From: "Prosser, Mike" <Mike_Prosserat_private>

[If you are running Sendmail 8.9.1, this might interest you.  Supposedly
 a pre-emptive fix to the long file name problem in mail handlers
 -mike]

Sendmail posts fix for email glitch 
By Randy Weston <mailto:randywat_private>
Staff Writer, CNET NEWS.COM
August 11, 1998, 11:25 a.m. PT 

The slew of email program security holes found in recent weeks is
prompting one of the leading makers of server-based routing software to
develop its own solution to the problem. 

Sendmail <http://www.sendmail.com/> in Emeryville, California, is to post
today a patch that can be installed on its email server software,
preventing companies from having to undergo the laborious task of
installing patches on sometimes thousands of PCs spread out around a
company. 

The patch cures security holes </News/Item/0,4,24668,00.html> that
currently affect Netscape Communications' <http://www.netscape.com/>
Communicator email system and Microsoft's <http://www.microsoft.com/>
Outlook and Outlook Express email software.

While the security flaw is not in the server software, Sendmail began
developing the server-based patch at the urging of the nonprofit Computer
Emergency Response Team <http://www.cert.org/>, or CERT. The organization
is based at Carnegie Mellon University <http://www.cmu.edu/> and focuses
on Internet security issues. According to Sendmail executives, the patch
they developed truncates long headers before they arrive in end users'
mailboxes based on the setting of a new option.

The "long file name" security glitch affects the way email clients handle
file attachments with extremely long file names. When a user attempts to
download, open, or launch a file attachment that has a name greater than
200 characters in length, the action might cause the email software to
crash. At that point, a skilled hacker could possibly run arbitrary code
in the computer's memory, according to a security bulletin posted recently
by Microsoft.

The patch, which is available for free, is for Version 8.9.1 of Sendmail's
email routing system. Users can find the patch at Sendmail's Web site
<http://www.sendmail.com/sendmail.8.9.1a.html>.


-o-
Subscribe: mail majordomoat_private with "subscribe isn".
Today's ISN Sponsor: New Dimensions International [www.newdimensions.net]

Next message: mea culpa: "[ISN] Upcoming security Conferences...."
Previous message: mea culpa: "[ISN] U.S. Still not prepared for cybercrime"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:00:51 PDT