- PALO ALTO, Calif. (Reuters) - Some of the most popular e-mail programs
have a security flaw that could allow hackers to erase files or wreak other
damage on users' systems, The San Jose Mercury News reported Tuesday. The
report called the flaw a ``gaping hole'' in the e-mail programs and said
that some experts believe it to be the biggest such problem to surface
in a decade. The flaw, discovered by computer security experts in Finland,
affects two Microsoft Corp. e-mail programs -- Outlook Express and Outlook
98 -- as well as Netscape Communications Corp.'s Web browser. Microsoft
officials were not immediately available to comment, but Netscape said
it was working on a patch to fix the security hole and should have one
available in two weeks. Netscape emphasized that there have been no reports
of an actual hacker attack through the hole, which was discovered by experts
who routinely scan computer programs looking for bugs. The flaw was found
last month by the Secure Programming Group at Oulu University in Finland,
the newspaper said. The discovery alarmed some experts because it appears
comparatively easy to execute an attack. Tests found an attack could be
activated simply when the user tried to delete an offending message.
The flaw centers around e-mail ``attachments,'' commonly used in electronic
correspondence to send background files or additional information. But
unlike other flaws, which allow attacks only when the user runs the offending
attachment, users with this flaw in their systems could potentially be
attacked without even opening the attachment. ``The implications and the
repercussions could be so powerful and long-lasting that if you don't address
it immediately, you run the risk of the problem cascading,'' Mike Nelson,
a computer industry consultant who previously worked for the security firm
Pretty Good Privacy Inc., told Reuters. One problem with a flaw in e-mail
systems is that it cannot be corrected centrally. Even after companies
come out with a fix, it is up to individual users to hear about the patch
and take the time to install it.
Dave Rothschild, vice president of Client Products at Netscape, said the
company advises e-mail users not to read attachments from unknown senders,
as a security precaution. As an alternative, users receiving a mysterious
attachment may write back to the sender and ask them to resend the attachment
in the main body of the e-mail. The new flaws appear to affect only e-mail
programs running on Microsoft's Windows, but not Macintosh or Unix systems.
|
