The vulnerability smoothes the way for a new type of email-borne virus, also called a Trojan horse, and other malicious software. Microsoft Outlook is one of the most popular email programs in use.
Ordinarily, when a Microsoft Outlook user clicks on a file that has been received as an "attachment," the program will ask whether the user wants to open or save the attachment. Programs which exploit the vulnerability, however, fool Outlook into executing the potentially harmful software without asking permission.
Email containing a malicious payload is a popular new method of attacking computers. For example, US West's internal network had to be shut down for an evening about two weeks ago because of a self-generating attack.
The attack works by disguising the true identity of an email attachment so that Outlook assumes the attached file is benign, said the discoverer, Juan Carlos Garcia Cuartango, a Spanish researcher who has found several other weaknesses in the past. The masquerade works because Outlook doesn't examine files with common "extensions." An extension is a three-letter filename suffix, such as "doc" or "gif."
"Outlook does not care about what the real attachment contains. It only cares about the attached file suffix," Cuartango said in an email.
Microsoft was unable to comment on the vulnerability by press time.
The newly discovered problem affects Microsoft Outlook Express 4 and 5, Outlook 98, and Outlook 2000, according to Elias Levy, chief technology officer of Security Focus, a company that monitors computer security problems. There aren't yet reports of active attacks using the vulnerability, he said.
"I think it's very severe," Levy said. "It could be used to create something just as bad or even worse than Melissa," he said, speaking of a virus that swept the Internet in March.
Melissa was successful largely because it automatically sent copies of itself to unsuspecting users via Microsoft Outlook email software. Antivirus software initially failed to detect the virus, although Melissa ultimately proved a bonanza for antivirus companies.
Since its emergence, several other variants have appeared on scene. Cuartango said he notified Microsoft of the vulnerability on October 15.
The basic problem isn't being fixed by companies such as Microsoft and Netscape, Levy believes.
"Cuartango and [fellow bug catcher Georgi] Guninski have shown we just have this cycle. They find a bug, the vendor patches it, a week goes by, and they find another one," Levy said. "We have to look beyond that at what's fundamentally wrong here: We have programs such as Web browsers and email clients that connect to an untrusted network from which they receive data they do not trust."
Levy believes the solution is to adopt a method used by the military, in which programs run in a safe zone within a computer--a cordoned-off area where the programs have minimum privileges and can't do any damage. Sun Microsystems has taken steps in this direction with its "sandbox" area, Levy said, but there still is room for attacks that don't use Java and companies have had some difficulties in making sure Java works like it's supposed to.
The Unix operating system, which is supposed to restrict the actions of computer tasks not run by the system administrator, is better than Windows, Levy said. However, it's "definitely not the solution either."
The new vulnerability works through a series of disguises, Levy said. First, the malicious program is converted into a Microsoft archive format called a "cab" file. Then, the cab file is renamed with an extension of a file type that Outlook isn't concerned with (such as "jpg," "mov," or "txt"), then emailed as an attachment.