Email security flaw discovered
A security hole in three email programs has been identified by researchers, raising the possibility that hordes of users may have to upgrade their software.
The security glitch affects the way email clients handle file attachments with extremely long file names. When a user attempts to download, open, or launch a file attachment that has a name greater than 200 characters in length, the action might cause the email software to crash. At that point, a skilled hacker could possibly run arbitrary code in the computer's memory, according to a security bulletin posted yesterday by Microsoft.
Since it was discovered last month by a team of researchers at a Finnish university, tests have shown the security bug's presence in three of the most popular email programs, Microsoft Outlook Express and Outlook 98 and Netscape Communications' current email offering in its Communicator Web software package.
Researchers are still checking to see whether other email programs, such as Eudora, also contain the flaw.
Microsoft has posted patches for its Outlook 98 and Outlook Express products.
Netscape will post detailed instructions to its Web site this afternoon explaining how users can avoid the problem, according to Julie Herendeen, director of client product marketing at the company.
Herendeen said the flaw affects Netscape Mail version 4.x and above, and only on Windows. Earlier versions, and versions running on Unix and Macintosh systems are not affected, she said.
Netscape plans to post a patch to its Web site within the next few weeks.
According to Herendeen, the problem occurs when users receive an attachment with a file name longer than 200 characters. She said users should not open or save the attachment directly from the file menu. Instead, users should right click on attachment, choose "save as," and save it to their hard drive. Then, the original message should be deleted, she said.
Microsoft said the flaw can also cause error messages to pop-up or can terminate Outlook unexpectedly.
It is difficult but possible for someone to hack into a computer system as a result of this problem, according to the researchers and Microsoft. Netscape and Microsoft say they have received no reports of customers affected by the problem.