All products featured on WIRED are independently selected by our editors. However, we may receive compensation from retailers and/or from purchases of products through these links.
On Wednesday, Microsoft released a new and improved remedy for a security problem discovered late last month in the company's Outlook 98 email software. Further, the company alerted users to a mischievous -- and bogus -- program masquerading as a Microsoft product.
The email hole, which could allow malicious programs to gain access to a computer and erase files or cause other havoc, affects both Microsoft Outlook 98 and Netscape Communicator. Netscape said it will issue a fix for its program later this week.
After the vulnerability was first discovered, Microsoft (MSFT) issued an initial software update to address the problem.
After probing the software, the company turned up what it described as a variant on the original problem. "We went back through Outlook 98 and [Outlook] Express and saw some similar issues," said Karan Khanna, Microsoft product manager for the Windows NT security team. For example, attackers could insert strings of code instead of file names in different places.
"We looked through the entire code base to make sure we did address them," Khanna said.
The newest patch is designed to fix the variant as well as the original problem. The company posted information on patches for both Outlook 98 and all releases of Outlook's fourth version on its Web site. It also informed various computer-security organizations such as the Computer Emergency Response Team, or CERT.
Meanwhile, Netscape (NSCP) instructed users at its Web site on how to avoid triggering the exploit in current versions of its Communicator email software.
The original problem -- as well as related issues Netscape says it has discovered in the interim -- will be addressed in the previously planned 4.06 version of Communicator. That software is due by week's end, said spokeswoman Edith Gong.
Microsoft and Netscape both said they received no reports of customers being adversely affected by the flaw.
Both Netscape's and Microsoft's programs are able to use long file names for attachments. Without limits on the length of names, malicious software code could be inserted in place of an attached file's name.
That code could carry instructions to perform potentially harmful actions on the recipient's computer, such as password theft or data destruction. Analyses of the problem indicated that the code's destructive activity could be triggered by certain common user actions, such as selecting the message and clicking on a menu.
In a separate security incident, Microsoft also said it has learned of a bogus email message circulating the Internet that purports to carry an attached file that will patch Microsoft software. "This has nothing to do with a Microsoft product," Khanna said. "It's somebody spoofing as Microsoft and spamming people."
"As user of Microsoft Internet Explorer, Microsoft Corporation provide you an upgrade for your Microsoft Internet Explorer," the email reads verbatim. "Please run Ie080898.exe to install the upgrade. This file will fix some serious bugs in your Internet Explorer."
According to participants on security mailing lists, the Trojan horse program reportedly loads each time the victim boots up his machine. It then apparently sends a swath of email to various Internet domains in Bulgaria.
The company has informed various emergency response teams about this, even the FBI.
"We do not send patches via email," Khanna said. If users receive an email with an attachment that claims to be a patch, they should not install it.
