Just when you thought it was safe to read e-mail...


The conventional wisdom has always been that you and your computer have nothing to fear from e-mail file attachments as long as they remain unopened. Unfortunately, this assumption no longer holds true.

Announcements by Microsoft and Netscape have drawn attention to security holes in Outlook Express, Outlook 98 and Communicator which potentially allow hackers to unleash malicious code on your system. At the time of writing, we have not come across any evidence of anyone exploiting this weakness, but if you're using Outlook Express or Netscape Messenger as your e-mail program, it makes sense to shore up your defences.

Outlook Express and Outlook 98

Microsoft ù always reluctant to use the word "bug" ù calls this the "file attachment issue". When Outlook Express processes an e-mail attachment with an extremely long file name, the memory space allocated to store the file name overflows. This so-called "buffer overflow" can crash Outlook Express and allow malicious code contained in the message's MIME header to be executed.

Patches are available to fix the problem, but deciding which patch to apply can be confusing. If you are currently running Internet Explorer 4.0, the first step is to upgrade to Version 4.01 (available on our cover CD). Then point your browser to www.microsoft.com/ie/security/oelong.htm. If you're using Internet Explorer 4.x, you can take advantage of an ActiveX control (look for a yellow box) which analyses your current configuration and specifies the patch you require. Netscape users won't see the yellow box, but it's easy enough to select the patch you need from the list of options provided.

A patch for Outlook 98 is available at http://www.microsoft.com/outlook/enhancements/outptch2.asp. Outlook 97 is not affected by the bug.

Netscape Communicator 4

Like Microsoft, Netscape shies away from the word "bug", preferring the expression "long filename mail vulnerability". But whatever they call it, the problem is essentially the same as Microsoft's; it affects Communicator Versions 4.0 through 4.05, and also the 4.5 Preview Release 1. According to Netscape, Macintosh and Unix users, and those still running Navigator 2.x or 3.x, are unaffected by the bug.

Netscape has promised to release a patch, but at the time of writing, none was available. Fortunately, it's not too difficult to sidestep the problem. Netscape recommends that you configure Communicator to view attachments as links instead of displaying them inline. To do this, select ViewûAttachments and choose As Links, or, if you are using the new 4.5 Preview Release 1, toggle the View Attachments Inline item to read View Attachments as Links.

When viewing messages with file attachments, glance at the attachment file name in the message window. If it's huge (more than 200 characters), a degree of paranoia is justified: don't open the File menu under any circumstances while this message is selected, since this could trigger malicious code. Instead, you should either delete the suspect message by clicking the Delete icon on the toolbar, or right-click the attachment link and choose Save Link As. Once the attachment has been saved, you can safely open it in another application (scan it for viruses first, of course!)

Eudora Pro 4.0

Eudora rarely makes an appearance in Bugs and Fixes, but it seems that Qualcomm's popular e-mail client is now afflicted by a similar security problem. Like the Netscape and Microsoft bug, the Eudora "issue" involves rogue file attachments. Apparently it is possible for a malicious programmer to add "hostile Java applets or scripts" to an e-mail message and mask the attachment name as a URL in the body of the message. Click the URL and you could be launching a hostile piece of code.

The simplest defence strategy is to disable the Microsoft viewer in the Options dialogue box. Alternatively, download the patch from our CD or from eudora.qualcomm.com/pro_email/updaters.html.

Users of the Macintosh version of Eudora and those running versions prior to 4 are not affected by this bug. Eudora Pro 4.1 (currently available in beta form) has also been declared safe by Qualcomm.

û Neville Clarkson


Category:bugs and fixes
Issue: October 1998

These Web pages are produced by Australian PC World © 1998 IDG Communications