Dangerous Bug Reading Mail with Microsoft Outlook or Netscape

We have been telling you for years that just opening an e-mail message could not infect your computer with a virus or execute a damaging program. Moreover, we have warned that mail messages purportedly warning you about e-mail that would launch a virus by just opening the message were themselves malicious hoaxes. This is still generally true. See: http://ciac.llnl.gov/ciac/CIACHoaxes.html

Unfortunately, it is no longer universally true. A bug has been found in two popular e-mail clients - Microsoft Outlook, and the mail reader component of Netscape 4. This is being widely reported in the press.

Vulnerability:

Who is vulnerable:

Who is NOT vulnerable:

(Note: you can safely send mail with Outlook or Netscape.)

In summary, MOST USERS in CCMR/LASSP ARE NOT VULNERABLE.

I will explain the bug in greater detail at the end of this message. At this point, no real exploits have been reported.

Patches:

There is a patch for Microsoft Outlook. If you are using Microsoft Outlook, please go to: http://www.microsoft.com/ie/security and look for the "Outlook Express File Attachment" fix.

There currently is not yet a patch for Netscape, but http://home.netscape.com/products/security/resources/bugs/longfile.html contains a work-around, and promises a fix within two weeks.

Useful background information (and a tirade on software insecurity) can be found at: http://ntbugtraq.ntadvice.com/editorials/newworm.asp

Recommendations:

  1. Read mail on Unix or with Eudora on a Mac or PC.
  2. Don't use Outlook on Windows or MacOS.
  3. Don't use Netscape mail in Windows.
  4. If you must read mail with Outlook or with Netscape on Windows on your personal/home machine, be sure to apply the patches and work-arounds above.
  5. Don't use Outlook or Netscape on public NT, 95, or Macintosh machines until we have applied the patches. We will post a message when the patches have been applied.

Details of the problem (you can skip this if you wish):

The type of bug that was exploited in both Outlook and Netscape is called a buffer overflow bug. Very superficially, the bug works as follows:

A programmer allocates a local data space (a buffer) of some fixed size, say 256 character, in a function to store some external input to the program - in this case the original file name of an attachment. The function fills the buffer with the name stored in the mail message, but without checking how big that name actually is. The failure to check that the filename fits in the buffer is the bug.

A clever hacker can make the input (the file name) longer than the buffer, and cause the program to write into memory past the end of the buffer. Unfortunately, the memory not far past the end of the buffer usually contains the location where the program is supposed to return to once the function is finished. Generally, when this location is overwritten, the program tries to jump to some random area of memory, and the program crashes. However, a really clever hacker can write a new function that does something nasty, and encode that function into an even longer input. Moreover, the hacker can often overwrite the return address with an address that will jump to the nasty new function on the return from the original function. Thus, the hacker can cause the program to do just about anything.

This kind of bug has been known about for many years. Most of the security holes that have been found in Unix server programs stem from some buffer overflow bug. That popular client programs are vulnerable to similar exploits shouldn't be too surprising. Note that this type of problem can't be detected by current antivirus software. Individual users need to seek out and apply software patches as security holes are found and plugged. (And you were worried about the year 2000 bug. :-)