Security Bug Affects Unopened E-Mail Attachments 
Malicious code may affect systems running Microsoft or Netscape e-mail.
See: http://www.pcworld.com/pcwtoday/article/0,1510,7559,00.html

by Brian McWilliams, PC World News Radio 
July 27, 1998, 3:29 p.m. PT 

Researchers in Finland have discovered a serious security flaw in e-mail
software from both Microsoft and Netscape.

The bug, identified by the Secure Programming Group at Finland's Oulu
University, can be exploited by an attacker who sends you an e-mail message with
an attachment that has an extra-long filename. The long name can cause
Microsoft's Outlook 98 and Outlook Express mail programs, as well as Netscape's
Messenger mail program, to crash from a buffer overflow. After that, your
computer could be forced to run malicious code that's actually contained right
in that long filename.

The e-mail vulnerability exists on most, but not all, 32-bit Windows systems.
Microsoft released a patch today for its Outlook 98 and Outlook Express e-mail
clients. Netscape said it will have a patch ready in about two weeks for its
Communicator suites, versions 4.05 and 4.5 beta. Qualcomm's Eudora e-mail client
appears not to be affected by the bug.

Both Microsoft and Netscape are urging affected users to apply the patches as
soon as possible. The bug is especially pernicious because you don't actually
have to open the attachment to be affected. Simply downloading the message off
your mail server can cause the crash and the malicious code to execute.

Russ Cooper, editor of the NT Bugtraq mailing list, says the software vendors
should go even further and issue a recall of the affected programs to prevent a
widespread virus or Internet worm outbreak.

Note: As of 7/28, Microsoft has made the appropriate patch available to Windows
98 users as a "critical" update available by running the Windows Update utility. 

-=-=-=-=-

Netscape Security Notes
See: http://home.netscape.com/products/security/resources/notes.html

A vulnerability reported by researchers at Oulu University in Finland affects
Netscape Communicator 4.0 to 4.05 and Netscape Communicator 4.5 Preview Release
1. An update to Communicator 4.0x will be available in the next two weeks. For
more information, see the note regarding the Long Filename Mail vulnerability. 

Long Filename Mail Vulnerability 
JULY 27, 1998 
http://home.netscape.com/products/security/resources/bugs/longfile.html

The Long Filename Mail vulnerability has been identified by a Finnish tester at
OUSPG and is documented at AUSCERT. It affects the mail and news components of
Netscape Communicator 4.0 through 4.05 and Netscape Communicator 4.5 Preview
Release 1 on the Windows 3.1, 95, 98, and NT platforms. At this time Netscape
does not believe that this vulnerability affects the Macintosh or Unix versions
of Communicator. Although this vulnerability has been verified by Netscape, no
customer incidents have been reported to Netscape. Netscape expects to make
available a fix for Communicator 4.0x within two weeks. The Long Filename Mail
vulnerability could allow an email or newsgroup message with an attachment that
has a very long filename to execute malicious code on your computer. In order
for the malicious code to cause problems, you must select the File menu while
viewing the message. 

Description of the Vulnerability 
The Long Filename Mail vulnerability can cause one or more of the following to
occur when you select the File menu while viewing a message that has an
attachment with a long filename: 

* Communicator may quit unexpectedly. 
* Selecting the File menu may cause malicious code to be executed on your
computer. Netscape is not aware of any users who have been affected by a
malicious message. 

HOW TO AVOID THE VULNERABILITY
Until a patch is available, configure Communicator to always view attachments as
links, rather than display them inline. To do so, select the appropriate command
on the View menu. 

* In Communicator 4.0 through 4.05, select View: Attachments: As Links. 
* In Communicator 4.5 Preview Release 1, if your menu reads View: View
Attachments Inline, select this item to toggle it to viewing attachments as
links. 

If you view a message with an attachment that has a filename with 200 or more
characters (this may appear as an attachment link that extends beyond the window
width), follow these instructions: 

1. Do NOT select the File menu under any circumstances when the message is
selected. 

2. You can save the attachment to your hard disk for viewing with another
application by right-clicking on the attachment link in the message and
selecting Save Link As. 

3. It is recommended that you delete the message with the long filename
attachment by clicking the Delete icon in the toolbar. You should delete the
message whether or not you were able to save the attachment as described in the
previous step. 

4. If you need to exit Communicator while the suspect message is selected, click
on the X icon in the upper-right corner of the window. Do not use the File menu
to exit the application unless you have deleted the suspect message or have
selected an alternate message. 

Please note that not all attachments with filenames of 200 or more characters
will necessarily be malicious. 

Netscape recommends that users protect themselves by upgrading to a patch
release for
Communicator 4.0x when it is available in two weeks, or to Communicator 4.5
Preview Release 2, when it is available. 

Versions and Platforms Affected 
Netscape has confirmed that the security issue affects the mail and news
components of Communicator for the following versions and platforms: 

* Netscape Communicator 4.0 through 4.05 on Windows 3.1, 95, 98, and NT
platforms 
* Netscape Communicator 4.5 Preview Release 1 on Windows 95, 98, and NT
platforms

Netscape believes that the following mail and news component versions are NOT
affected: 

* Netscape Communicator 4.0 through 4.05 on Macintosh and Unix platforms 
* Netscape Communicator 4.5 Preview Release 1 on Macintosh and Unix platforms 
* Netscape Navigator 2.x and 3.x on all platforms 

Information on How to Obtain a Fix 
Netscape is testing a fix for Communicator 4.0x for Windows 3.1, 95, 98, and NT
and expects to release it in the next two weeks. Check this page for details on
where to download the fix for this vulnerability. For more information about
security on Netscape products, visit the Security Notes page at
http://home.netscape.com/products/security/resources/notes.html

==== SCROOTS Mailing List ====