The way Microsoft and Netscape mail clients handle attachments with very long filenames may leave internet users vulnerable to an overflow attack, unleashing a virus or Trojan Horse onto their PC. One example of an overflow is the notorious Internet Worm, which in 1998 forced administrators to shut down part of the net. Nastier still, users can’t protect themselves by refusing to open attachments. All the user has to do to trigger the attack is use the File menu in Netscape Communicator or activate the paperclip icon in Microsoft Outlook while the attachment is selected. Ari Takanen and Marko Laakso, researchers at the Oulu University Secure Programming Group in Finland, took only half an hour to find a way of exploiting the buffer overrun. Their method works on Microsoft Outlook 98, Outlook Express, Netscape Communicator versions 4.0 through to 4.05 and certain Communicator 4.5 preview releases. When handling an email or Usenet news attachment with a filename longer than 200 characters, these programs may crash unexpectedly. As Microsoft’s official statement put it: It is difficult but possible for an individual to cause malicious code to be executed on your computer as a result of this problem. That means the email itself could carry a virus or Trojan Horse. The contents of the attachment are irrelevant: the malicious code would be contained in the tags that identify it. As yet the vulnerability remains theoretical. No hostile incidents have been reported – yet. Microsoft has released a patch, available for download from http://support.microsoft.com/support/downloads/LNP499.asp. Netscape is testing a fix and hopes to have it ready in a couple of weeks. Yet another company, Certifiedmail.com, has capitalized on the publicity to announce its August 3 launch as a provider of secure environments for sending, tracking and verifying email. In the meantime, people receiving attachments with long filenames can prevent incidents by saving them to disk or deleting them altogether. Either way, Communicator and Outlook users are warned not to use the File menu or paperclip icon when an attachment with a long filename is selected. Russ Cooper, moderator of the NT BugTraq mailing list, says the vulnerability is one of the most serious computer security flaws yet reported. He points out that in a year or two, when digital signatures are widely used, the consequences of this buffer overrun attack will be very serious indeed. Imagine if your bank starts receiving signed messages asking to have money transferred to some unknown account. Cooper says in an editorial. Imagine if every employee in a company receives an email telling them it’s OK to speak about some secret project. To prevent that happening, he calls for an industry-wide set of procedures for handling software recalls. We need to find all copies of all CDs which contain these affected versions, Cooper writes, if we are to prevent an Internet Worm in the future, then we must remove the affected versions or prevent them from being used. If this is not done, users clinging to old versions of software could leave the net vulnerable to another worm and another shutdown, this one, Cooper says, with far more serious repercussions than the last.
