MSNBC: Now, e-mail is even more dangerous

[Vernon Frazee]

Source: http://www.msnbc.com/news/432208.asp?0na=2112121-&cp1=1
 
Now, e-mail is even more dangerous
 
Researchers discover method that allows vandals to take control of a PC simply by sending an e-mail
 
By Bob Sullivan
MSNBC
 
July 18 -- A new method for attacking computers connected to the Internet allows vandals to take control of a PC simply by sending it an e-mail. The vulnerability in Microsoft's Outlook e-mail program has widespread implications: Until now, victims had to willingly open an e-mail attachment, or at least view a specially formed e-mail message, to be attacked. Now, a computer vandal could conceivably take control of thousands of computers with a single mass e-mail. Intruders can have their way with a target machine once it begins to download the ill-formed message to its hard drive.
 
THE VULNERABILITY WAS DISCOVERED about a month ago by a South American security research team known as Underground Security Systems Research, or USSR Labs. MSNBC.com learned of the flaw June 11, but agreed not to publish the information until Microsoft had a chance to supply a fix. That's standard practice in the computer security business in order to prevent possible harm to computer users.
 
However, this morning an individual sent details of the bug to a security mailing list. Microsoft confirmed the existence of the flaw and is working on a patch but would not comment further. (Microsoft is a partner in MSNBC).
 
A spokesperson for USSR Labs told MSNBC.com that the group has been able to add malicious code to e-mail headers that executes as soon as the target computer begins to download the e-mail. "I would say this problem is huge," said Russ Cooper, who watches Microsoft flaws closely as administrator of the NTBugTraq mailing list. "It's the Good Times virus come true. If you heard about this, you would call it a hoax," Cooper said, referring to an old computer myth that a single e-mail could destroy a victim's computer. "Here we have the chance of people hearing, The reason your hard drive was reformatted was because you received that e-mail."
 
ALARMING SCENARIOS Since an attacker could have his way with a victimized computer, several alarming scenarios are possible. A single e-mail could instruct the computer to delete every file on its hard drive, for example. It could also instruct the computer to copy sensitive information from the victim and e-mail it back to the attacker.
 
The vulnerability could have unnerving privacy implications as well. For example, a spam advertiser could send an e-mail that would automatically launch Internet Explorer and direct it to the company's Web site.
 
"This vulnerability can affect a user even if the user follows what would normally be safe computing. As written, this vulnerability is not self-replicating, like the ILOVEYOU virus, which spread around the world in under 12 hours earlier this year. To exploit this problem, an attacker would have to deliberately send a specially formed malicious e-mail to a victim. A virus writer could use this code to create a dangerous self-replicating worm.
 
Microsoft says home users are at the greatest risk, according to a Microsoft draft security bulletin obtained from USSR Labs. But Microsoft also says the bug will impact few corporate users. Specifically, corporations running Outlook in "corporate and workgroup mode" are not at risk; those running in "Internet-only mode" are.
 
The only defense against the vulnerability is installing the Microsoft patch, which will be available shortly on the Microsoft.com security Web site. http://www.microsoft.com/technet/security/default.asp
 
"This vulnerability can affect a user even if the user follows what would normally be safe computing practices such as installing the Outlook Security Update and using the Security Zones feature to manage the security of his or her mail client," Microsoft wrote in a draft of its bulletin.
 
COPYCATS LIKELY TO POUNCE
Since sample code exists, Cooper expects copycats to begin writing malicious e-mails fairly soon. There is one mitigating factor - since the flaw does not impact most corporate users, and home users are generally a less interesting target, that might limit computer vandal interest in the problem. Corporate users normally have more sensitive, valuable information stored on their computers.
 
The spokesperson for USSR Labs said he felt Microsoft acted quickly to try to patch the hole in this case, but is still concerned that the company doesn't take security seriously enough. "I think it appears it's more important for companies to make software and sell it," he said. "If they have problems later they will fix it."
 
The sample code released today could be altered and used by computer vandals. USSR Labs has not yet released its version, but a spokesperson said the group would when Microsoft releases its fix. He said sample code is an essential part of the process when unearthing a computer bug. "It is the only way to make software companies pay attention," he said.
 
An independent discoverer published the same vulnerability this morning on the "Bugtraq" security mailing list. According to the researcher, identified as Aaron Drew in the e-mail, the bug involves jamming too much data into the date field in the header of an e-mail. But unlike USSR, Drew believes some user interaction is required to initiate an attack. According to his note, Outlook Express users need to open a mail folder containing a malicious e-mail to become vulnerable. Outlook users need to preview, read, reply or forward a malicious e-mail to become vulnerable.
 
"This type of vulnerability lends itself for targeted attacks on individuals via their e-mail address," said Elias Levy, who administers the Bugtraq e-mail list. "[It] also lends itself to the creation of a new e-mail worm ... You can grasp the gravity of the problem."

[reddsteel]

that is terrible for us email-reliers! lol

[Vernon Frazee]

http://home.netscape.com/computing/download/index.html