Subject: Security Bug Affects Unopened E-Mail Attachments From: Steven J. Coker Date: August 01, 1998 Security Bug Affects Unopened E-Mail Attachments Malicious code may affect systems running Microsoft or Netscape e-mail. See: http://www.pcworld.com/pcwtoday/article/0,1510,7559,00.html by Brian McWilliams, PC World News Radio July 27, 1998, 3:29 p.m. PT Researchers in Finland have discovered a serious security flaw in e-mail software from both Microsoft and Netscape. The bug, identified by the Secure Programming Group at Finland's Oulu University, can be exploited by an attacker who sends you an e-mail message with an attachment that has an extra-long filename. The long name can cause Microsoft's Outlook 98 and Outlook Express mail programs, as well as Netscape's Messenger mail program, to crash from a buffer overflow. After that, your computer could be forced to run malicious code that's actually contained right in that long filename. The e-mail vulnerability exists on most, but not all, 32-bit Windows systems. Microsoft released a patch today for its Outlook 98 and Outlook Express e-mail clients. Netscape said it will have a patch ready in about two weeks for its Communicator suites, versions 4.05 and 4.5 beta. Qualcomm's Eudora e-mail client appears not to be affected by the bug. Both Microsoft and Netscape are urging affected users to apply the patches as soon as possible. The bug is especially pernicious because you don't actually have to open the attachment to be affected. Simply downloading the message off your mail server can cause the crash and the malicious code to execute. Russ Cooper, editor of the NT Bugtraq mailing list, says the software vendors should go even further and issue a recall of the affected programs to prevent a widespread virus or Internet worm outbreak. Note: As of 7/28, Microsoft has made the appropriate patch available to Windows 98 users as a "critical" update available by running the Windows Update utility. -=-=-=-=- Netscape Security Notes See: http://home.netscape.com/products/security/resources/notes.html A vulnerability reported by researchers at Oulu University in Finland affects Netscape Communicator 4.0 to 4.05 and Netscape Communicator 4.5 Preview Release 1. An update to Communicator 4.0x will be available in the next two weeks. For more information, see the note regarding the Long Filename Mail vulnerability. Long Filename Mail Vulnerability JULY 27, 1998 http://home.netscape.com/products/security/resources/bugs/longfile.html The Long Filename Mail vulnerability has been identified by a Finnish tester at OUSPG and is documented at AUSCERT. It affects the mail and news components of Netscape Communicator 4.0 through 4.05 and Netscape Communicator 4.5 Preview Release 1 on the Windows 3.1, 95, 98, and NT platforms. At this time Netscape does not believe that this vulnerability affects the Macintosh or Unix versions of Communicator. Although this vulnerability has been verified by Netscape, no customer incidents have been reported to Netscape. Netscape expects to make available a fix for Communicator 4.0x within two weeks. The Long Filename Mail vulnerability could allow an email or newsgroup message with an attachment that has a very long filename to execute malicious code on your computer. In order for the malicious code to cause problems, you must select the File menu while viewing the message. Description of the Vulnerability The Long Filename Mail vulnerability can cause one or more of the following to occur when you select the File menu while viewing a message that has an attachment with a long filename: * Communicator may quit unexpectedly. * Selecting the File menu may cause malicious code to be executed on your computer. Netscape is not aware of any users who have been affected by a malicious message. HOW TO AVOID THE VULNERABILITY Until a patch is available, configure Communicator to always view attachments as links, rather than display them inline. To do so, select the appropriate command on the View menu. * In Communicator 4.0 through 4.05, select View: Attachments: As Links. * In Communicator 4.5 Preview Release 1, if your menu reads View: View Attachments Inline, select this item to toggle it to viewing attachments as links. If you view a message with an attachment that has a filename with 200 or more characters (this may appear as an attachment link that extends beyond the window width), follow these instructions: 1. Do NOT select the File menu under any circumstances when the message is selected. 2. You can save the attachment to your hard disk for viewing with another application by right-clicking on the attachment link in the message and selecting Save Link As. 3. It is recommended that you delete the message with the long filename attachment by clicking the Delete icon in the toolbar. You should delete the message whether or not you were able to save the attachment as described in the previous step. 4. If you need to exit Communicator while the suspect message is selected, click on the X icon in the upper-right corner of the window. Do not use the File menu to exit the application unless you have deleted the suspect message or have selected an alternate message. Please note that not all attachments with filenames of 200 or more characters will necessarily be malicious. Netscape recommends that users protect themselves by upgrading to a patch release for Communicator 4.0x when it is available in two weeks, or to Communicator 4.5 Preview Release 2, when it is available. Versions and Platforms Affected Netscape has confirmed that the security issue affects the mail and news components of Communicator for the following versions and platforms: * Netscape Communicator 4.0 through 4.05 on Windows 3.1, 95, 98, and NT platforms * Netscape Communicator 4.5 Preview Release 1 on Windows 95, 98, and NT platforms Netscape believes that the following mail and news component versions are NOT affected: * Netscape Communicator 4.0 through 4.05 on Macintosh and Unix platforms * Netscape Communicator 4.5 Preview Release 1 on Macintosh and Unix platforms * Netscape Navigator 2.x and 3.x on all platforms Information on How to Obtain a Fix Netscape is testing a fix for Communicator 4.0x for Windows 3.1, 95, 98, and NT and expects to release it in the next two weeks. Check this page for details on where to download the fix for this vulnerability. For more information about security on Netscape products, visit the Security Notes page at http://home.netscape.com/products/security/resources/notes.html ==== SCROOTS Mailing List ==== Go To: #, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, Main |