02:20 PM ET 07/29/98
Beware of mysterious e-mail, experts say
By Andrea Orr
PALO ALTO, Calif. (Reuters) – You might think twice about
opening a package that arrives in the mail from an unknown
sender. But do you take the same precautions with your e-mail?
Experts as well as the companies that make e-mail programs,
say you should, to protect your computer files from a new
security flaw that has been discovered, as well as other
potential attacks by computer hackers.
Their warnings followed the discovery of a hole in some of
the most popular e-mail programs, which some experts consider
the biggest computer security problem to surface in a decade.
The problem was first reported this week in the San Jose
Mercury News, which serves California’s Silicon Valley. The
paper said there was a “gaping hole” in the e-mail programs
made by Microsoft Corp. and Netscape Communications Corp.
The flaw, discovered by computer security experts in
Finland, affects two Microsoft e-mail programs — Outlook
Express and Outlook 98 — as well as Netscape’s Web browser.
Although both companies moved quickly to correct the
problem, they added that people should know about some of the
hazards inherent in using e-mail — probably the most popular
Internet application for home and business users — and think
twice about reading files from unknown senders.
Microsoft said it had posted a “patch” to correct the flaw
and had more information available on its Web site
(www.microsoft.com/ie/security).
Netscape said it was working on a patch and should have one
available in two weeks.
Both companies emphasized that there had been no reports of
an actual hacker attack through the hole, which was detected in
a lab setting by experts who routinely scan computer programs
looking for bugs.
The flaw was found last month by the Secure Programming
Group at Oulu University in Finland. It has alarmed some experts
because it appears to be a comparatively easy way to execute an
attack. Tests found hackers could get to users’ files as soon as
the user tried to delete an offending message.
The problem is with e-mail “attachments,” commonly used in
electronic correspondence to send background files or additional
information. But unlike other flaws, which allow attacks only
when the user actually runs the offending attachment, users with
this flaw in their systems could potentially be attacked without
even opening the files.
“The implications and the repercussions could be so
powerful and long-lasting that if you don’t address it
immediately, you run the risk of the problem cascading,” Mike
Nelson, a computer industry consultant who previously worked for
the security firm Pretty Good Privacy Inc., told Reuters.
One problem with a flaw in e-mail systems is that it cannot
be corrected centrally. Even after companies come out with a
fix, it is up to individual users to hear about it and take the
time to install it.
“It is serious to the extent that e-mail is a widely used
application,” said George Meng, Group Product Manager at
Microsoft Office. “If somebody could maliciously send an e-mail
to do damage, there are a lot of people who could potentially be
affected.”
Even after patches for this particular problem are issued,
larger concerns remain over the potential hazards of e-mail,
Peter Shipley, the chief security architect at KPMG, said many
people had a false sense of security with e-mail, leaving files
open and ignoring warnings about mail from unknown senders.
“It’s the same as not locking your car,” Shipley said.
”(The precautions people can take) with e-mail are literally
that simple. And if they don’t take them, either they are afraid
of their computers, or they are lazy.”
Dave Rothschild, vice president of Client Products at
Netscape, said the company advises e-mail users not to read
attachments from unknown senders. As an alternative, users
receiving a mysterious attachment may write back to the sender
and ask them to resend it in the main body of the text.