Microsoft and other software sellers and security organizations have long warned people that they should protect themselves against email viruses by not opening attachments they are not expecting.
But under a potential exploit Microsoft described today, email recipients wouldn't even have to open booby-trapped attachments or the email message. Simply receiving the message from the email server would be enough to trigger the damage.
A component distributed with Microsoft's Internet Explorer browser and common to both the Outlook email software and Outlook Express productivity software suite is vulnerable to a buffer overflow exploit.
Said to be the most common software bug of the past 10 years, the buffer overflow problem lies in the way fields respond to long strings of data.
In this instance, the date field of Outlook email is vulnerable to a buffer overflow attack, in which a bogus and extremely long date can cause the application to crash and send excess characters--potentially malicious code--into memory, where they can be executed.
Microsoft said it is working on patches that will protect against the vulnerability, with patches available for some versions of IE and the Windows operating system but not for others.
Microsoft said anyone who has installed IE 5.01 Service Pack 1 or IE 5.5 is already protected against the exploit, unless the computer runs Windows 2000. Windows 2000 users will need to install Windows 2000 Service Pack 1. Microsoft said patches for IE 4.01 Service Pack 2 and IE 5.01 are in progress.
Another patch is under construction for computers running Outlook but not Outlook Express.
Microsoft credited Buenos Aires-based security firm Underground Security Systems Research (USSR) with discovering the bug. The vulnerability was also the subject of an alert on the Bugtraq security mailing list.
The buffer overflow bug comes in the wake of a lengthening string of security embarrassments for Microsoft. Fresh from patching a handful of bugs affecting its Excel, PowerPoint and Access software, the company is still in the process of repairing several vulnerabilities in its Internet Explorer browser and other applications.