The ongoing turmoil caused by a security hole in Microsoft Outlook 98 and Outlook Express 4.x messaging client continued today, as the company said it posted a new patch for problem but warned that someone is emailing users a false fix for the issue.
Microsoft said the bogus repair comes in an email attachment along with a message which states that the attached patch will fix a security bug that was first reported last month. But, according to the software giant, the file is not valid and should not be installed.
"Customers should obtain the official patches by downloading them from the Microsoft Web site, or a trusted Internet service provider," the company said in a statement issued today. While the company said it has been emailing customers to alert them of the problem and the availability of the correct patch, it does not send patches by email.
The new patch issued by Microsoft replaces a patch initially posted by the company last month that fixed only some of the security problems.
The original security problem occurs when a user attempts to download, open, or launch a file attachment that has a name longer than 200 characters, the action might cause the email software to crash. At that point, a skilled hacker could possibly run arbitrary code in the computer's memory.
The security breach also compromised messaging clients that come with Netscape Communications' Web browser software as well. Netscape has posted detailed instructions to its Web site explaining how users can avoid the problem.
Microsoft said it has posted notifications about the security hole and bogus email patch on most of its Web sites, including its home page. In addition, the company has also contacted CERT, an industry security organization that distributes security-related information to corporate, government, and end users.
Last week, Qualcomm said its popular messaging program Eudora also had a security hole that could allow someone to email file attachments that could erase files or install a virus. The company has posted a patch on its Eudora security Web page.
And yesterday, Sendmail, the leading vendor of server-based routing software used by Internet service providers and commercial email services, said it had issued a patch that can be installed on its email server software, preventing companies from having to undergo the laborious task of installing patches on sometimes thousands of PCs spread out around a company.