All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
Researchers have discovered a hole in Microsoft and Netscape email programs that could allow malicious programs to gain access to a computer and erase files or cause other havoc.
After a few routine actions following the arrival of an email, Netscape and Microsoft email users could unwittingly launch Trojan horse applications capable of anything from file destruction to data theft. The exact nature of a Trojan horse depends on the intent of the intruder who writes the software and sends it.
"A malicious sender via an email attachment can either launch code on the user's hard drive or potentially access files on the user's machine," said Netscape's Chris Saito, group product manager for Communicator.
Unlike previous Trojan horses, which are activated when users open attached files, the newly discovered rogue programs can be activated by simply receiving attachments.
In Netscape's mail client, Netscape Messenger -- which allows the easiest launching of any code -- the action required is very simple. "Touch the File menu after you touch the message containing the exploit, and the exploit will launch," said security expert Russ Cooper, who moderates the NTBugTraq mailing list.
Rating the threat and potential impact of the software hole, Cooper said, "It's at the top of my list."
The exploit method is slightly different in the two email client programs that have been tested, Microsoft Outlook Express and Messenger. In both, however, the malicious code is contained in email tags containing the name of a file attachment.
Because these tags -- standard across different email software -- put no limit on the length of filenames that can be used, the entire code of a rogue application can be contained there.
More than simple viruses, Trojan horse attacks are impressive because of their potent capabilities. Full-fledged, "executable" software programs, Trojan horses can be designed to perform any number of intrusive tasks. They can erase files and send out email from the computer they've invaded, for example.
The Trojan threat has been diminished by the fact that users have to consciously find and launch the files after they've come in. The latest outbreak of the virus changes that.
Cooper considers the opening especially dangerous for two reasons: the common and little-guarded email pathway by which the code can make its entry and the powerful capabilities it brings with it. "The scope of this is really undetermined. We don't know all the platforms that are exploitable."
Cooper said triggering the virus in Outlook Express is more difficult than in Messenger. "You highlight the message and right-click the paperclip icon. Then just running your mouse cursor over the name of an attachment executes the code." As Microsoft describes it, the user "might cause the client to shut down unexpectedly." It said that only once the client has crashed, could a "skilled hacker" run arbitrary code in the computer's memory."
Both Netscape and Microsoft have already begun responding to the bug. Microsoft has a software update, and discusses the problem on its security information site.
Netscape said it will post an update within two weeks. Saito said the delay was due to the time necessary to properly prepare the update. He said he believed Microsoft learned of the vulnerability sooner and was therefore able to respond more quickly.
"We don't want to reveal too much information. We've been able to reproduce the bug in a lab environment and can tell users how to protect themselves," Saito said. That information, he said, would be posted in the form of a Web page.
Protection boils down to this: "If you open a message from an unknown sender, you do not want to access the File menu," Saito said. The message should be deleted and the mail software exited by means of the Windows close box, marked by an X in the application window's upper-right-hand corner.
Asked to rate the danger, Saito was reserved, citing a desire to keep potential exploiters as uninformed as possible.
Researchers at a Finnish university discovered the bug while doing security testing of Windows NT. The researchers were looking for "overflows" in the Microsoft operating system, areas of software applications that can be used to insert data to run on a user's computer without the user's knowledge. Such an overflow is alluring for its potential access to important network or computer resources.
Cooper is worried by the fact that the vulnerable software is already installed on many machines or on its way, including Microsoft's Windows 98 operating system. This means it is likely to remain in use for years to come.
Cooper is advocating that the companies begin software recall programs to recollect vulnerable software. If they aren't willing to do that, he said, companies should at least spend more resources looking for exploits like this one. All it took the researchers in Finland was a goal and 30 minutes of their time.
