LM_NET: Library Media Networking
- Subject: email problem using Netscape and Explorer
- From: MaryAnn Rizzo <rizzoma@PRIMENET.COM>
- Date: Wed, 5 Aug 1998 20:38:36 -0700
Hi,
I ran into this information on one of the web sites. It appears to be
more than the usual email bogus statements. I checked both Netscape and
Microsoft sites before sending this off. I copied the article from:
http://www.eschoolnews.org/stories/story2.html
The netscape version of the story is at:
http://home.netscape.com/products/security/resources/bugs/longfile.html?hom
08prt1
Netscape believes that only the Windows environment is affected.
Netscape explains how to handle the problem.
For the Explorer, both platforms seem to be affected. The explorer
information can be found at:
http://www.microsoft.com/security/bulletins/ms98-008.htm
Those using independent stand alone email packages (Claris or Eudora)
appear not to be affected.
Netscape and Microsoft are working on fixes. Apparently they haven't
got it yet (depending on which article you read).
Hope this helps.
MaryAnn
School tech leaders scramble to neutralize eMail
threat
By Dennis Pierce, Assistant Editor, eSchool News
School technology directors from coast to coast were scrambling early in
August to
protect their computers from an eMail flaw the U.S. Energy Department
called "among
the most serious security holes ever identified."
The bug puts millions of computers at risk, the energy department warned
on July 28.
Gaining access via eMail, hackers could send computer commands that
could crash hard
drives and mangle data. The flaw, discovered in three of the most
popular eMail
programs, was thought to pose a special danger to schools, which are
seen as attractive
targets for hackers. At press time, no instance of such destruction had
been reported.
The problem first was discovered by Finnish researchers in June,
authorities said, but
word of it did not begin circulating on the internet until late July. So
far, tests have
shown its presence in the three programs most widely used to read
electronic mail:
Microsoft's Outlook Express and Outlook 98 and Netscape's current web
browser,
Communicator.
"It's alarming because it affects 99 percent of people on the internet,"
said Daniel Janal,
author of "Risky Business," a primer on protecting your organization
from security
problems on the internet.
Although Qualcomm Corp.'s Eudora is the most popular third-party eMail
software,
Janal said, most people use the eMail program built into their web
browser, such as
Netscape's Communicator.
Both Microsoft and Netscape posted information about the flaw on their
web sites late
in July. As news of the problem raced through education circles, school
technology
directors reacted to the explanations and software patches the companies
were offering.
Dale Copps, librarian and technology coordinator for the Wardsboro
Elementary School
in Vermont, speculated whether Microsoft and Netscape had known about
the flaw for
longer than they've let on. But Copps said he was glad to see Netscape
offer an interim
solution while the company works to supply a patch.
"If they [Netscape] deliver on a patch by the promised middle of August,
and if the
patch is effective, I will be satisfied," Copps said.
The flaw allows any outsider to send a booby-trapped message that could
erase a
computer's hard drive or even steal information.
"What's particularly frightening about this bug is that, to my
knowledge, it's the first
time a virus can be communicated to another computer with no involvement
by the
receiver," said Copps.
Normally, eMail alone can't do any damage to a system unless the user
opens an
attachment included by the attacker. The new flaw, however, cannot be so
easily
avoided. In some test cases, simply trying to delete the eMail message
activated the
attack.
The problem is related to a protocol for attaching documents to an eMail
message called
Multipurpose Internet Mail Extensions, or MIME. MIME headers tell the
eMail software
how to treat the attached file. Older eMail software that is not
MIME-compliant is not
vulnerable to the flaw.
Hackers could exploit the flaw by assigning an exceptionally long file
name--longer
than 200 characters--to an attachment. If the name is too long, it will
overflow the eMail
software's buffer. At that point, any software code contained in the
overflow could
execute commands on the user's computer.
How to protect your computers
``We're definitely not taking this lightly,'' Microsoft group product
manager George
Meng told the San Jose Mercury News. ``There definitely is a scenario in
which
someone could do damage to people's systems.''
Microsoft confirmed the flaw affects versions of Outlook Express shipped
with
Microsoft Internet Explorer 4.0 or 4.01 on Windows 98, Windows 95,
Windows NT
4.0, and Windows NT for DEC Alpha, as well as Windows versions for
Macintosh or
UNIX machines.
Users of Internet Explorer for Windows 3.1 and Windows NT 3.51 operating
systems
are not affected, Microsoft said.
The company released a software patch on July 27 but quickly discovered
the patch was
ineffective. On July 28, Microsoft said an updated patch would be
available soon.
Netscape said the flaw affects its Communicator 4.0 through 4.05 on
Windows 3.1,
95, 98, or NT platforms and Communicator 4.5 Preview Release 1 on
Windows 95,
98, or NT.
Versions of Communicator for Macintosh and Unix platforms are not
vulnerable, nor
are any versions of Netscape Navigator, the company said.
Netscape's patch is not expected for another two weeks, but the company
has
developed a web page to keep its customers informed.
In the meantime, if you use one of the versions of Communicator that is
vulnerable to
attack, Netscape recommends that you configure the software to view
attachments as
links rather than display them in the text of the message. To do that,
select the "View"
menu, then select "Attachments" and select "As Links."
Also, if you receive a message that contains an attachment with a
filename extending
beyond the window width, Netscape said you should not select the "File"
menu under
any circumstances. For more information, see Netscape's web page (URL
below).
Wardsboro Elementary School uses Netscape Communicator as its eMail
software, and
Copps said he would be downloading and installing the software patch as
soon as it is
available.
"I'm certainly taking the threat seriously, and I think all educators
should," he said.
Janal, who runs Norton's antivirus and desktop utility on his personal
computer, said
the first thing he did after learning about the program flaw was
download the latest
upgrade from Norton's web site. Users should be sure to upgrade their
anti-virus
software at least once a month, Janal said, and especially during a big
scare.
You should also take the time to back up your hard drive, Janal said. At
the very least,
he said, make copies of your word processing programs, financial files,
and any other
data files that you created, such as your Windows address book.
"The most important thing that you have is your intellectual property,"
Janal said.
If you want to minimize your risks while you wait for the correct
patches, you can
download a free version of Eudora Light. The third-party eMail software
is not affected
by the application flaw, experts said.
MaryAnn "the librarian" Rizzo
District Library Media Specialist
519 Melody Lane
Bisbee Unified School District
Bisbee, AZ 85603
e-mail address: home: rizzoma@primenet.com
work: rizzoma@tcsn.uswest.net
web page: http://www.bisbee.k12.az.us/std/rizzo/rizzomain.index.html
"We need to educate our children for their future, not our past." A.C.
Clark
"Keep smiling. It keeps others wondering about you." M. Rizzo
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=
To quit LM_NET (or set-reset NOMAIL or DIGEST), Send email to
listserv@listserv.syr.edu In the message write EITHER:
1) SIGNOFF LM_NET 2) SET LM_NET NOMAIL or 3) SET LM_NET DIGEST
3) SET LM_NET MAIL * Please allow for confirmation from Listserv
For LM_NET Help & Archives see: http://ericir.syr.edu/lm_net/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
LM_NET
Archive Home