JiscMail Logo
Email discussion lists for the UK Education and Research communities

Help for GP-UK Archives

GP-UK Archives

GP-UK Archives


GP-UK@JISCMAIL.AC.UK


View:

Message:

[

First

|

Previous

|

Next

|

Last

]

By Topic:

[

First

|

Previous

|

Next

|

Last

]

By Author:

[

First

|

Previous

|

Next

|

Last

]

Font:

Proportional Font
LISTSERV Archives

LISTSERV Archives
GP-UK Home

GP-UK Home
GP-UK 1998

GP-UK 1998

Options

Subscribe or Unsubscribe

Subscribe or Unsubscribe

 Log In

Log In

 Get Password

Get Password

Subject:

A WAY A VIRUS REALLY COULD BE SENT BY E_MAIL

From:

Robert Marshall <[log in to unmask]>

Reply-To:

[log in to unmask]

Date:

Sun, 2 Aug 1998 00:14:57 -0700 (PDT)

Content-Type:

TEXT/PLAIN

Parts/Attachments:
Parts/Attachments

TEXT/PLAIN (210 lines) 

Usual apologies for cross-posting.
Unlike the now infamous Internet hoaxes regarding e-mails containing 
viruses, this possibility has been verified by the Dept of Energy's Computer 
Incident Advisory Capability (CIAC) team at the Lawrence Livermore National 
Laboratory:
     
     From: TOURBUS -- 29 JULY 1998 -- EMAIL VULNERABILITIES IN MICROSOFT 
     OUTLOOK AND NETSCAPE MESSENGER
     
     /   \ /   \                                                 /   \
     \___/ \___/    T h e  I n t e r n e t  T o u r B u s        \___/
     
     TODAY'S TOURBUS TOPIC:  EMAIL VULNERABILITIES IN OUTLOOK AND MESSENGER
     
     According to reports first published in the San Jose Mercury News and
     confirmed yesterday by the United State's Department of Energy's
     Computer Incident Advisory Capability team (CIAC) at the Lawrence
     Livermore National Laboratory, Microsoft Outlook, Microsoft Outlook
     Express, and Netscape Messenger all contain serious flaws that could
     potentially damage your computer.  The CIAC bulletin warns that
     Outlook, Outlook Express, and Messenger all contain a "buffer overflow
     vulnerability" that
     
          allows an e-mail or news message to contain malicious code in a
          mime header.  That code is executed when the header is processed
          by the e-mail/news reader ...
     
          If exploited, this vulnerability allows a remote user to run
          arbitrary code on a user's machine with the user's privileges.
          The remotely executed code could do anything from sending
          thousands of e-mails in the user's name to formatting the hard
          drive.
     
          [quoted from http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml]
     
     Here is what all of this means in English.  If you have used a
     computer for a while, you know that computer file names can only be so
     long.  For example, in DOS the longest file name allowed is only 11
     characters long (a maximum of eight characters for the filename and
     three for the file extension).  If all of this confuses you, look at
     the following:
     
          FILENAME           EXT        WILL DOS ACCEPT THIS FILE NAME?
          12345678           123
          ----------------------------------------------------------------
          ROADMAP            TXT        Yes.
          BATCH              C          Yes.
          TOURBUSRULES       DUDE       No.  Both the filename and file
                                        extension are too long.
     
     Newer platforms like Windows 95 and 98 allow much longer file names
     (256 characters, I think), but the important point here is computer
     file names can only be so long.
     What happens if a computer file name is longer than the computer
     normally allows?  Usually, the computer just burps and throws up an
     error message.  In Outlook, Outlook Express, and Messenger, however,
     the computer does something entirely different.
     
     Let us say someone sends you a program attached to an email message
     and the program's file name is
     
          ROADMAP.TXTFORMAT_THE_HARD_DRIVE_AND_DO_OTHER_NASTY_STUFF
     
     Let us also assume that we are still living in the DOS world, so the
     eleven character file name limits we discussed earlier are still in
     effect.  Clearly, the file name for our little attachment is MUCH
     longer than eleven characters.
     
     According to the CIAC,
     
          In the vulnerable readers, the headers [or, in this case, the
          file names of attached files] are read into memory and processed
          without checking their length.  When the length of the header is
          longer than one of the buffers in memory where it is stored
          during processing, data in the header that falls beyond the end
          of the buffer overwrites other code and data in memory.  This
          overwriting is the classic "buffer overflow" condition.  If the
          overwritten piece of memory is part of the running program, the
          code from the header in the overwritten part is executed in place
          of the program's code.
     
          [quoted from http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml]
     
     In other words, in our DOS-world example, the computer could read the
     file name "ROADMAP.TXTFORMAT_THE_HARD_DRIVE_AND_DO_OTHER_NASTY_STUFF"
     as
     
          ROADMAP.TXT
          FORMAT_THE_HARD_DIVE_AND_DO_OTHER_NASTY_STUFF
     
     and could possibly: 1) think that second line is a command; and 2)
     execute that command.
     
     This example is pretty simplistic (in the real world the file names
     would have to be over 200 characters long before a buffer overflow
     would occur), but it should give you a better idea of what the problem
     is.  It is also important to note that while the buffer overflow
     problem in Outlook, Outlook Express, and Messenger has the potential
     to cause damage to a person's computer, there have been no reports
     yet of anyone exploiting this vulnerability for malicious purposes.
     
     Still, many people could be affected by this buffer overflow problem:
     
          People who use a version of Outlook Express that shipped with
          Microsoft Internet Explorer 4.0 or 4.01 on Windows 98, Windows
          95, Windows NT 4.0, Windows NT for DEC Alpha, Macintosh, or UNIX.
          Windows 3.1 and Windows NT 3.51 versions of Internet Explorer are
          *NOT* affected by this issue.  For information on how to fix the
          buffer overflow problem in Outlook Express, go to
          http://www.microsoft.com/ie/security/oelong.htm
     
          People who installed Outlook '98 using the Internet Mail Only
          (IMO) installation or the Internet E-mail service in the
          Corporate or Workgroup (CW) installation.  For information on how
          to fix the buffer overflow problem in Outlook '98, go to
          http://support.microsoft.com/support/downloads/LNP499.asp
          and then click on the "More Information" link beneath the
          "OUTPATCH.EXE: Microsoft Outlook 98 Security Patch" paragraph.
     
          People who use the mail and news components of Netscape
          Communicator 4.0 through 4.05 on Windows 3.1, 95, 98, and NT.
          Also vulnerable are people who use the mail and news components
          of Netscape Communicator 4.5 Preview Release 1 on Windows 95, 98,
          and NT.  For more information on how to deal with the buffer
          overflow problem in Netscape Messenger (Mail), go to
          
     http://home.netscape.com/products/security/resources/bugs/longfile.htm
     l
     
     If you use *ANY* other email program you do not need to worry.  The
     buffer overflow problem apparently does not (and will not) affect you.
     This is an important point, so I will say it again.  Unless you use
     Microsoft Outlook, Microsoft Outlook Express, or Netscape Messenger
     (also known as "Netscape Mail"), you do not have to worry about the
     buffer overflow problem.  It does *NOT* affect you or your email
     program.
     
     I also want to share with you something that the CIAC mentioned in its
     most recent bulletin
     
          While at first glance this appears to [be] the Good_Times hoax
          come to life (see http://ciac.llnl.gov/ciac/
          CIACHoaxes.html#goodtimes) this is not really the case.
          Good_Times was supposed to run itself on any system that
          downloaded and read the Good_Times message.  This mime name
          vulnerability is caused by improperly handled mime headers in a
          few versions of some very popular e-mail/news readers.  By
          replacing the vulnerable readers with properly patched versions,
          this vulnerability is eliminated.
     
     In other words, despite the media's recent cries that this buffer
     overflow problem is proof the "email sky" is falling, the world of
     email is still extremely safe.  The problems with Outlook, Outlook
     Express, and Messenger are simply an example of poor programming.
     Microsoft's and Netscape's programming errors aside, you still can not
     get a virus or Trojan Horse from simply reading an email letter with
     your eyes, regardless of that letter's subject line.  Anyone who tells
     you otherwise is either misinformed or is lying.
     
     For more information on this issue, visit the CIAC's most recent
     bulletin on the buffer overflow problem at
     
          http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml
     
     Actually, you might want to also check
     
          http://ciac.llnl.gov/cgi-bin/index/bulletins?i
     
     to see if the CIAC has release any new bulletins on this issue (the
     latest bulletin is I-077a).
     
     Since the San Jose Mercury News was the first news organization to
     report this story, you might want to check out David Wilson's article
     "U.S. issues alert over e-mail flaw"
     
          http://www.sjmercury.com/business/tech/docs/security072998.htm
     
     I'm only guessing here, but I'd be willing to bet that the folks at
     the San Jose Mercury News will continue to follow this story closely
     and will post regular updates in their Good Morning Silicon Valley
     section at
     
          http://www.sjmercury.com/gmsv/gmsv_morning.shtml
     
     and in their business "tech wire" section at
     
          http://www.sjmercury.com/business/tech/
     
     For more information on the Mercury News, see the 25 June 1998 or 21
     May 1998 TOURBUS posts at <http://www.tourbus.com/archives.htm>.  For
     more information on the CIAC, see the 19 March 1998 TOURBUS post at
     the same address.
     
     ... and yes, you have my permission to forward today's post to your
     friends.  All I ask in return is that you forward *ALL* of today's
     post -- ads, Southern Words, subscription info, everything.  And if
     you include a plug telling your friends they *have* to subscribe to
     TOURBUS because it is so cool, I promise I'll be your new best
     friend.  :P
     
     =====================[ TOURBUS Rider Information ]===================
        The Internet TOURBUS - U.S. Library of Congress ISSN #1094-2238
           Copyright 1995-98, Rankin & Crispen - All rights reserved
                 Archives on the Web at http://www.TOURBUS.com
     =====================================================================



%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

Top of Message | Previous Page | Permalink

JiscMail Tools


RSS Feeds and Sharing


Advanced Options


Archives

March 2024
October 2023
August 2023
June 2023
May 2023
February 2023
June 2022
October 2021
January 2021
October 2020
September 2020
August 2020
July 2020
June 2020
March 2020
January 2020
December 2019
September 2019
July 2019
June 2019
May 2019
March 2019
February 2019
January 2019
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
March 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
2006
2005
2004
2003
2002
2001
2000
1999
1998
1997
1996


JiscMail is a Jisc service.

View our service policies at https://www.jiscmail.ac.uk/policyandsecurity/ and Jisc's privacy policy at https://www.jisc.ac.uk/website/privacy-notice

For help and support help@jisc.ac.uk

Secured by F-Secure Anti-Virus CataList Email List Search Powered by the LISTSERV Email List Manager