The slew of email program security holes found in recent weeks is prompting one of the leading makers of server-based routing software to develop its own solution to the problem.
Sendmail in Emeryville, California, is to post today a patch that can be installed on its email server software, preventing companies from having to undergo the laborious task of installing patches on sometimes thousands of PCs spread out around a company.
While the security flaw is not in the server software, Sendmail began developing the server-based patch at the urging of the nonprofit Computer Emergency Response Team, or CERT. The organization is based at Carnegie Mellon University and focuses on Internet security issues.
According to Sendmail executives, the patch they developed truncates long headers before they arrive in end users' mailboxes based on the setting of a new option.
The "long file name" security glitch affects the way email clients handle file attachments with extremely long file names. When a user attempts to download, open, or launch a file attachment that has a name greater than 200 characters in length, the action might cause the email software to crash. At that point, a skilled hacker could possibly run arbitrary code in the computer's memory, according to a security bulletin posted recently by Microsoft.
The patch, which is available for free, is for Version 8.9.1 of Sendmail's email routing system. Users can find the patch at Sendmail's Web site.