Business Technology
toolbar
July 29, 1998

Security Flaw Discovered in E-Mail Programs
By JOHN MARKOFF

SAN FRANCISCO -- A serious security flaw has been discovered in popular e-mail programs published by Microsoft Corp. and Netscape Communications Corp. that would permit a malicious person to send a message containing a virus that could crash a computer, destroy or even steal data.

So far, security tests have shown that the flaw exists in three of the four most popular e-mail programs, used by perhaps tens of millions of people around the world: Microsoft's Outlook Express and Outlook 98 and Netscape's Web browser, Navigator, which is part of its Communicator suite of Internet programs.

While Microsoft is already providing fixes, the flaw is particularly worrisome in the Microsoft Outlook 98 program, which combines e-mail with a schedular, contact list, notes and other tasks, because this software allows an illicit program attached to a piece of e-mail to execute without any activity on the part of the person using the target computer. Most computer viruses can only infect a machine when the user opens an infected file or attempts to run an infected program.

What is more, Microsoft admitted on Tuesday that the first fix that was offered on the company's Web site, on Monday, does not repair the problem. Anyone who downloaded and installed that fix will have to return to the Web site and download and install the new version.

Microsoft reported on Tuesday that users of its Outlook Express program, the e-mail software supplied with Windows 95 and Windows 98, would have to open an infected attachment before a malicious program could be executed.

Netscape officials said on Tuesday that a user of their Communicator program would also have to open a file before a virus could activate. The extra danger of the Outlook 98 program is that it allows a malicious e-mail attachment to execute at the moment the e-mail message arrives at the computer.

Microsoft officials said that the flaw was present in versions of the Outlook Express shipped with Microsoft Internet Explorer 4.0 or 4.01 on Windows 98, Windows 95, Windows NT 4.0 and Windows NT for DEC Alpha, as well as in versions for Macintosh and UNIX machines.

Windows 3.1 and Windows NT 3.51 versions of Internet Explorer are not affected.

In all, Microsoft said on Tuesday that it had distributed about 2 million copies of the more seriously flawed Outlook 98 program and at least a million copies of Outlook Express.

Netscape could only report that 70 million copies of its Navigator/Communicator software had been downloaded, but the company could not determine how many people used the browser's built-in e-mail software. Many people use separate, more sophisticated programs than those that are shipped with browsers.

The most popular of these is Eudora, a mail program published by the Qualcomm Corp. Security researchers said that Eudora was not vulnerable to the problem.

Although there is no evidence yet that any computer virus has been distributed that exploits this newly discovered vulnerability, security experts say that since word of the flaw leaked on the Internet over the weekend, virus makers are undoubtedly already aware of it and will work quickly to take advantage of it.

As of Tuesday, Microsoft was already providing "patches," small programs that repair the flaw in e-mail programs in question for its Windows and NT operating system. The company said that fixes for Macintosh and Unix computers would be forthcoming.

Microsoft officials said that the company's software development group was attempting to determine how the flawed code made it into their software.

Netscape officials posted a notice about the problem on their Web site on Tuesday, noting that the flaw only affects the Windows and Windows NT versions of Navigator, not those distributed for Macintosh or UNIX machines. The company said it would post a patch for its Windows and NT versions within two weeks. Neither company currently has any plans to notify users of the danger and the availability of patches other than the notices on the Internet.

The Microsoft patches are available at www.microsoft.com/ie/security. As of Tuesday, none of the virus detection programs were yet offering protection from -- or even detection of -- malicious e-mail attachments designed to exploit the flaw. Officials at Symantec Corp.said that they were now exploring how they might add new functions to their software to detect this type of virus, but they said they would not be able to offer any protection in the near term.

Corporate users of electronic mail typically have their e-mail programs configured to check for mail every 10 minutes or so while on line and then automatically download any new messages to the computer's hard drive.

Security experts said they were astounded that both companies had distributed software containing a well-known type of program-design error. The code that resulted in the flaw has been a widely documented problem for more than 30 years.

"I'm appalled that a flaw like this would be in recently written software, given what we know," said Eugene Spafford, director of the Center for Education and Research in Information Assurance and Security at Purdue University.

Several security specialists attributed the flaw to heated competition between Microsoft and Netscape for domination of the Internet market. Both companies have been rushing programs to market in record times, giving them away for free and largely turning millions of Internet users into a massive audience of software testers.

A number of computer security researchers also said that because the program had been so widely disseminated on commercial CD-ROMs, as part of the Windows operating system and over the Internet, closing the hole might prove to be a particularly vexing task.

Last week, security experts who have been aware of the problem for several weeks began talking openly about the possibility of forcing the software publishers to issue a general recall of their software because of the potential danger. The Federal Trade Commission, the government agency responsible for such recalls, has never recalled software and does not have a policy for doing so.

"What we need is to begin to treat computer security issues with as much fervor as we treat a medical issue or a financial issue, said Russ Cooper, a software security expert and the moderator of a mailing list that deals with Microsoft software bugs. "To do this we need a mechanism for software recalls. Microsoft needs to recall all Windows 98 CDs and all CDs produced with the affected versions of Outlook Express and Outlook 98, and Netscape needs to recall all the affected version of their Communicator suite."

Microsoft executives said that the company had begun putting into place user protection mechanisms that would make software recalls unnecessary. For example, beginning with its Windows 98 program, Microsoft added a Windows Update feature that notifies users if their software is not up-to-date.

To use the feature, however, the users have to press the Start button, followed by Settings, followed by Windows Update. What is more, as of tonight, the automatic update feature offered a patch for the Outlook Express problem but did not even mention the far more serious Outlook 98 flaw.

Related Sites
Following are links to the external Web sites mentioned in this article. These sites are not part of The New York Times on the Web, and The Times has no control over their content or availability. When you have finished visiting any of these sites, you will be able to return to this page by clicking on your Web browser's "Back" button or icon until this page reappears.

Home | Site Index | Site Search | Forums | Archives | Marketplace

Quick News | Page One Plus | International | National/N.Y. | Business | Technology | Science | Sports | Weather | Editorial | Op-Ed | Arts | Automobiles | Books | Diversions | Job Market | Real Estate | Travel

Help/Feedback | Classifieds | Services | New York Today

Copyright 1998 The New York Times Company