Microsoft tackles Web email breach

In response to a number of customer complaints, Microsoft posts a fix for a security problem that could have potentially crashed the computers of people who use Web-based email.

In response to a number of customer complaints, Microsoft has posted a fix for a security problem that could have potentially crashed the computers of people who use Web-based email.

Microsoft today alerted Windows 95 and Windows 98 consumers that a patch for the bug, called the "DOS Device in Path Name," has been posted and can be downloaded off the software giant's Web site.

The existence of the bug was first reported last week. The problem stems from a flaw in the way the Windows operating system processes DOS file names, causing system hang-ups and potentially a total system failure.

The bug essentially forces a computer to process a certain sequence of characters. A person could encounter this situation in several instances: when downloading a Web page that has been embedded with malicious code, when opening an email message on Hotmail or another Web-based email service, or simply by typing the code at a DOS prompt. When a computer encounters the sequence of characters and tries to process them, it crashes.

Windows reserves certain DOS path names for devices--such as COM1, CON or LPT1--and these names can't be used as file names, Microsoft explained. But if a user tried to access a file whose name used a combination of these paths, that action would confuse the system and cause a crash, the company said.

"If a read or write operation is attempted to a path whose name contains multiple DOS device names, it will cause Windows 95 and 98 to attempt to access invalid resources," according to the Microsoft security alert. "In some cases, the effect of this invalid access would be to cause the application that supplied the path to hang up, but the more likely effect is that the machine would present a blue debug screen and crash."

The problem had the potential to affect millions of users of Web-based email, which often previews HTML Web pages automatically when an email message is opened. If these pages access a file with one of these problematic names, Windows could crash when asked to locate the file.

For example, a Web page often instructs the computer to access a certain image file to use as the background for the page. If that image file contains DOS file names, Windows could fail while attempting to load the page.

Microsoft's Outlook email program, along with a host of free Web-based email services, automatically launches embedded HTML in a separate browser window. Although Outlook users can turn this feature off, many Web-based email users cannot, making them more vulnerable to this type of system crash.

Web-based email has had its share of security snafus and privacy blunders. Most of these stem from the fact that data stored online and within networked servers is never as private or secure as information stored on local, unconnected machines.

Microsoft stresses that the problem couldn't be exploited by an outsider to gain control of a PC or access data stored locally. But security analysts say that because the bug requires people to reboot their computers, it could be used in conjunction with other known hacking methods that require restarting a computer.

"It's pretty low on the scale of things," said Elias Levy, moderator of the BugTraq newsletter and chief technical officer of, where the problems were first reported. "But it could be used to leverage other problems."