Joe
>Date: Wed, 29 Jul 1998 18:27:12 -0400
>Reply-To: Stephen Goldberg <GOLDBERG@ADLIBV.ADELPHI.EDU>
>Sender: SJU American Chemical Society <NYACS-L@MAELSTROM.STJOHNS.EDU>
>From: Stephen Goldberg <GOLDBERG@ADLIBV.ADELPHI.EDU>
>Subject: E-Mail flaw reported in NY Times -Forwarded
>To: NYACS-L@MAELSTROM.STJOHNS.EDU
>
>Hi,
>
>This is Steve Goldberg and I am forwarding an article from today's
>New York Times about an e-mail problem. Depending on the mailer you
>use this may or may not be a relevant article.
>
>Also, I am forwarding to all of you who are in my e-mail address
>book. Some of you may be in multiple mailing groups so you might get
>this message twice. I apologize in advance for any inconvenience.
>
>SZG
>
>Forwarded Mail received from: Stephen Goldberg
>
> Date: 07/29/1998 09:53 am (Wednesday)
> From: Stephen Goldberg
> To: everyone
> Subject: E-Mail flaw reported in NY Times
>
>NEW YORK TIMES, July 29, 1998
>
>Security Flaw Discovered in E-Mail Programs
>By JOHN MARKOFF
>
> AN FRANCISCO -- A serious security flaw has been discovered
>in popular e-mail programs published by Microsoft Corp. and Netscape
>Communications Corp. that would permit a malicious person to send a
>message containing a virus that could crash a computer, destroy or
>even steal data.
>
> So far, security tests have shown that the flaw exists in
>three of the four most popular e-mail programs, used by perhaps tens
>of millions of people around the world: Microsoft's Outlook Express
>and Outlook 98 and Netscape's Web browser, Navigator, which is part
>of its Communicator suite of Internet programs.
>
> While Microsoft is already providing fixes, the flaw is
>particularly worrisome in the Microsoft Outlook 98 program, which
>combines e-mail with a schedular, contact list, notes and other
>tasks, because this software allows an illicit program attached to a
>piece of e-mail to execute without any activity on the part of the
>person using the target computer. Most computer viruses can only
>infect a machine when the user opens an infected file or attempts to
>run an infected program.
>
> What is more, Microsoft admitted on Tuesday that the first
>fix that was offered on the company's Web site, on Monday, does not
>repair the problem. Anyone who downloaded and installed that fix will
>have to return to the Web site and download and install the new
>version.
>
> Microsoft reported on Tuesday that users of its Outlook
>Express program, the e-mail software supplied with Windows 95 and
>Windows 98, would have to open an infected attachment before a
>malicious program could be executed.
>
> Netscape officials said on Tuesday that a user of their
>Communicator program would also have to open a file before a virus
>could activate.
>
> The extra danger of the Outlook 98 program is that it allows
>a malicious e-mail attachment to execute at the moment the e-mail
>message arrives at the computer.
>
> Microsoft officials said that the flaw was present in
>versions of the Outlook Express shipped with Microsoft Internet
>Explorer 4.0 or 4.01 on Windows 98, Windows 95, Windows NT 4.0 and
>Windows NT for DEC Alpha, as well as in versions for Macintosh and
>UNIX machines.
>
> Windows 3.1 and Windows NT 3.51 versions of Internet Explorer
>are not affected.
>
> In all, Microsoft said on Tuesday that it had distributed
>about 2 million copies of the more seriously flawed Outlook 98
>program and at least a million copies of Outlook Express.
>
> Netscape could only report that 70 million copies of its
>Navigator/Communicator software had been downloaded, but the company
>could not determine how many people used the browser's built-in
>e-mail software. Many people use separate, more sophisticated
>programs than those that are shipped with browsers.
>
> The most popular of these is Eudora, a mail program published
>by the Qualcomm Corp. Security researchers said that Eudora was not
>vulnerable to the problem.
>
> Although there is no evidence yet that any computer virus has
>been distributed that exploits this newly discovered vulnerability,
>security experts say that since word of the flaw leaked on the
>Internet over the weekend, virus makers are undoubtedly already aware
>of it and will work quickly to take advantage of it.
>
> As of Tuesday, Microsoft was already providing "patches,"
>small programs that repair the flaw in e-mail programs in question
>for its Windows and NT operating system. The company said that fixes
>for Macintosh and Unix computers would be forthcoming.
>
> Microsoft officials said that the company's software
>development group was attempting to determine how the flawed code
>made it into their software.
>
> Netscape officials posted a notice about the problem on their
>Web site on Tuesday, noting that the flaw only affects the Windows
>and Windows NT versions of Navigator, not those distributed for
>Macintosh or UNIX machines. The company said it would post a patch
>for its Windows and NT versions within two weeks. Neither company
>currently has any plans to notify users of the danger and the
>availability of patches other than the notices on the Internet.
>
> The Microsoft patches are available at
>www.microsoft.com/ie/security. As of Tuesday, none of the virus
>detection programs were yet offering protection from -- or even
>detection of -- malicious e-mail attachments designed to exploit the
>flaw. Officials at Symantec Corp.said that they were now exploring
>how they might add new functions to their software to detect this
>type of virus, but they said they would not be able to offer any
>protection in the near term.
>
> Corporate users of electronic mail typically have their
>e-mail programs configured to check for mail every 10 minutes or so
>while on line and then automatically download any new messages to the
>computer's hard drive.
>
> Security experts said they were astounded that both companies
>had distributed software containing a well-known type
>ofprogram-design error. The code that resulted in the flaw has been a
>widely documented problem for more than 30 years.
>
> "I'm appalled that a flaw like this would be in recently
>written software, given what we know," said Eugene Spafford, director
>of the Center for Education and Research in Information Assurance and
>Security at Purdue University.
>
> Several security specialists attributed the flaw to heated
>competition between Microsoft and Netscape for domination of the
>Internet market.
>
> Both companies have been rushing programs to market in record
>times, giving them away for free and largely turning millions of
>Internet users into a massive audience of software testers.
>
> A number of computer security researchers also said that
>because the program had been so widely disseminated on commercial
>CD-ROMs, as part of the Windows operating system and over the
>Internet, closing the hole might prove to be a particularly vexing
>task.
>
> Last week, security experts who have been aware of the
>problem for several weeks began talking openly about the possibility
>of forcing the software publishers to issue a general recall of their
>software because of the potential danger. The Federal Trade
>Commission, the government agency responsible for such recalls, has
>never recalled software and does not have a policy for doing so.
>
> "What we need is to begin to treat computer security issues
>with as much fervor as we treat a medical issue or a financial issue,
>said Russ Cooper, a software security expert and the moderator of a
>mailing list that deals with Microsoft software bugs. "To do this we
>need a mechanism for software recalls. Microsoft needs to recall all
>Windows 98 CDs and all CDs produced with the affected versions of
>Outlook Express and Outlook 98, and Netscape needs to recall all the
>affected version of their Communicator suite." Microsoft executives
>said that the company had begun putting into place user protection
>mechanisms that would make software recalls unnecessary.
>
> For example, beginning with its Windows 98 program, Microsoft
>added a Windows Update feature that notifies users if their software
>is not up-to-date.
>
> To use the feature, however, the users have to press the
>Start button, followed by Settings, followed by Windows Update. What
>is more, as of tonight, the automatic update feature offered a patch
>for the Outlook Express problem but did not even mention the far more
>serious Outlook 98 flaw.
>
>
>Copyright 1998 The New York Times Company
>
Joseph Fernandez
Associate Director
The Rockefeller university
Protein/DNA Technology Center
1230 York Ave. New York, NY 10021
Phone: (212)-327-8869
FAX : (212)-327-8620
email: fernaj@rockvax.rockefeller.edu
Lab Web Page: http:\\pdtc.rockefeller.edu