Usual apologies for cross-posting.
Unlike the now infamous Internet hoaxes regarding e-mails containing
viruses, this possibility has been verified by the Dept of Energy's Computer
Incident Advisory Capability (CIAC) team at the Lawrence Livermore National
Laboratory:
From: TOURBUS -- 29 JULY 1998 -- EMAIL VULNERABILITIES IN MICROSOFT
OUTLOOK AND NETSCAPE MESSENGER
/ \ / \ / \
\___/ \___/ T h e I n t e r n e t T o u r B u s \___/
TODAY'S TOURBUS TOPIC: EMAIL VULNERABILITIES IN OUTLOOK AND MESSENGER
According to reports first published in the San Jose Mercury News and
confirmed yesterday by the United State's Department of Energy's
Computer Incident Advisory Capability team (CIAC) at the Lawrence
Livermore National Laboratory, Microsoft Outlook, Microsoft Outlook
Express, and Netscape Messenger all contain serious flaws that could
potentially damage your computer. The CIAC bulletin warns that
Outlook, Outlook Express, and Messenger all contain a "buffer overflow
vulnerability" that
allows an e-mail or news message to contain malicious code in a
mime header. That code is executed when the header is processed
by the e-mail/news reader ...
If exploited, this vulnerability allows a remote user to run
arbitrary code on a user's machine with the user's privileges.
The remotely executed code could do anything from sending
thousands of e-mails in the user's name to formatting the hard
drive.
[quoted from http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml]
Here is what all of this means in English. If you have used a
computer for a while, you know that computer file names can only be so
long. For example, in DOS the longest file name allowed is only 11
characters long (a maximum of eight characters for the filename and
three for the file extension). If all of this confuses you, look at
the following:
FILENAME EXT WILL DOS ACCEPT THIS FILE NAME?
12345678 123
----------------------------------------------------------------
ROADMAP TXT Yes.
BATCH C Yes.
TOURBUSRULES DUDE No. Both the filename and file
extension are too long.
Newer platforms like Windows 95 and 98 allow much longer file names
(256 characters, I think), but the important point here is computer
file names can only be so long.
What happens if a computer file name is longer than the computer
normally allows? Usually, the computer just burps and throws up an
error message. In Outlook, Outlook Express, and Messenger, however,
the computer does something entirely different.
Let us say someone sends you a program attached to an email message
and the program's file name is
ROADMAP.TXTFORMAT_THE_HARD_DRIVE_AND_DO_OTHER_NASTY_STUFF
Let us also assume that we are still living in the DOS world, so the
eleven character file name limits we discussed earlier are still in
effect. Clearly, the file name for our little attachment is MUCH
longer than eleven characters.
According to the CIAC,
In the vulnerable readers, the headers [or, in this case, the
file names of attached files] are read into memory and processed
without checking their length. When the length of the header is
longer than one of the buffers in memory where it is stored
during processing, data in the header that falls beyond the end
of the buffer overwrites other code and data in memory. This
overwriting is the classic "buffer overflow" condition. If the
overwritten piece of memory is part of the running program, the
code from the header in the overwritten part is executed in place
of the program's code.
[quoted from http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml]
In other words, in our DOS-world example, the computer could read the
file name "ROADMAP.TXTFORMAT_THE_HARD_DRIVE_AND_DO_OTHER_NASTY_STUFF"
as
ROADMAP.TXT
FORMAT_THE_HARD_DIVE_AND_DO_OTHER_NASTY_STUFF
and could possibly: 1) think that second line is a command; and 2)
execute that command.
This example is pretty simplistic (in the real world the file names
would have to be over 200 characters long before a buffer overflow
would occur), but it should give you a better idea of what the problem
is. It is also important to note that while the buffer overflow
problem in Outlook, Outlook Express, and Messenger has the potential
to cause damage to a person's computer, there have been no reports
yet of anyone exploiting this vulnerability for malicious purposes.
Still, many people could be affected by this buffer overflow problem:
People who use a version of Outlook Express that shipped with
Microsoft Internet Explorer 4.0 or 4.01 on Windows 98, Windows
95, Windows NT 4.0, Windows NT for DEC Alpha, Macintosh, or UNIX.
Windows 3.1 and Windows NT 3.51 versions of Internet Explorer are
*NOT* affected by this issue. For information on how to fix the
buffer overflow problem in Outlook Express, go to
http://www.microsoft.com/ie/security/oelong.htm
People who installed Outlook '98 using the Internet Mail Only
(IMO) installation or the Internet E-mail service in the
Corporate or Workgroup (CW) installation. For information on how
to fix the buffer overflow problem in Outlook '98, go to
http://support.microsoft.com/support/downloads/LNP499.asp
and then click on the "More Information" link beneath the
"OUTPATCH.EXE: Microsoft Outlook 98 Security Patch" paragraph.
People who use the mail and news components of Netscape
Communicator 4.0 through 4.05 on Windows 3.1, 95, 98, and NT.
Also vulnerable are people who use the mail and news components
of Netscape Communicator 4.5 Preview Release 1 on Windows 95, 98,
and NT. For more information on how to deal with the buffer
overflow problem in Netscape Messenger (Mail), go to
http://home.netscape.com/products/security/resources/bugs/longfile.htm
l
If you use *ANY* other email program you do not need to worry. The
buffer overflow problem apparently does not (and will not) affect you.
This is an important point, so I will say it again. Unless you use
Microsoft Outlook, Microsoft Outlook Express, or Netscape Messenger
(also known as "Netscape Mail"), you do not have to worry about the
buffer overflow problem. It does *NOT* affect you or your email
program.
I also want to share with you something that the CIAC mentioned in its
most recent bulletin
While at first glance this appears to [be] the Good_Times hoax
come to life (see http://ciac.llnl.gov/ciac/
CIACHoaxes.html#goodtimes) this is not really the case.
Good_Times was supposed to run itself on any system that
downloaded and read the Good_Times message. This mime name
vulnerability is caused by improperly handled mime headers in a
few versions of some very popular e-mail/news readers. By
replacing the vulnerable readers with properly patched versions,
this vulnerability is eliminated.
In other words, despite the media's recent cries that this buffer
overflow problem is proof the "email sky" is falling, the world of
email is still extremely safe. The problems with Outlook, Outlook
Express, and Messenger are simply an example of poor programming.
Microsoft's and Netscape's programming errors aside, you still can not
get a virus or Trojan Horse from simply reading an email letter with
your eyes, regardless of that letter's subject line. Anyone who tells
you otherwise is either misinformed or is lying.
For more information on this issue, visit the CIAC's most recent
bulletin on the buffer overflow problem at
http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml
Actually, you might want to also check
http://ciac.llnl.gov/cgi-bin/index/bulletins?i
to see if the CIAC has release any new bulletins on this issue (the
latest bulletin is I-077a).
Since the San Jose Mercury News was the first news organization to
report this story, you might want to check out David Wilson's article
"U.S. issues alert over e-mail flaw"
http://www.sjmercury.com/business/tech/docs/security072998.htm
I'm only guessing here, but I'd be willing to bet that the folks at
the San Jose Mercury News will continue to follow this story closely
and will post regular updates in their Good Morning Silicon Valley
section at
http://www.sjmercury.com/gmsv/gmsv_morning.shtml
and in their business "tech wire" section at
http://www.sjmercury.com/business/tech/
For more information on the Mercury News, see the 25 June 1998 or 21
May 1998 TOURBUS posts at <http://www.tourbus.com/archives.htm>. For
more information on the CIAC, see the 19 March 1998 TOURBUS post at
the same address.
... and yes, you have my permission to forward today's post to your
friends. All I ask in return is that you forward *ALL* of today's
post -- ads, Southern Words, subscription info, everything. And if
you include a plug telling your friends they *have* to subscribe to
TOURBUS because it is so cool, I promise I'll be your new best
friend. :P
=====================[ TOURBUS Rider Information ]===================
The Internet TOURBUS - U.S. Library of Congress ISSN #1094-2238
Copyright 1995-98, Rankin & Crispen - All rights reserved
Archives on the Web at http://www.TOURBUS.com
=====================================================================
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|