Theos-Talk Archives (July 1998 Message tl00000)

Here is an excerpt:

"Malicious code may affect systems running
Microsoft or Netscape e-mail.

by Brian McWilliams, PC World News Radio 
July 27, 1998, 3:29 p.m. PT 

Researchers in Finland have discovered a serious
security flaw in e-mail software from both Microsoft and
Netscape.

The bug, identified by the Secure Programming Group
at Finland's Oulu University, can be exploited by an
attacker who sends you an e-mail message with an
attachment that has an extra-long filename. The long
name can cause Microsoft's Outlook 98 and Outlook
Express mail programs, as well as Netscape's
Messenger mail program, to crash from a buffer
overflow. After that, your computer could be forced to
run malicious code that's actually contained right in
that long filename.

The e-mail vulnerability exists on most, but not all,
32-bit Windows systems. Microsoft released a patch
today for its Outlook 98 and Outlook Express e-mail
clients. Netscape said it will have a patch ready in
about two weeks for its Communicator suites, versions
4.05 and 4.5 beta. Qualcomm's Eudora e-mail client
appears not to be affected by the bug.

Both Microsoft and Netscape are urging affected users
to apply the patches as soon as possible. The bug is
especially pernicious because you don't actually have
to open the attachment to be affected. Simply
downloading the message off your mail server can
cause the crash and the malicious code to execute.

Russ Cooper, editor of the NT Bugtraq mailing list,
says the software vendors should go even further and
issue a recall of the affected programs to prevent a
widespread virus or Internet worm outbreak.

Note: As of 7/28, Microsoft has made the appropriate
patch available to Windows 98 users as a "critical"
update available by running the Windows Update utility."