I'm not on the list anymore, so I don't know if this information has been sent to you. But it is serious enough to mail it anyway. I am going to try to download a patch for communicator Monday NATIONAL NEWS Security flaw lets computer virus in through e-mail Microsoft, Netscape users at risk By JOHN MARKOFF Copywright 1998, The New York Times' SAN FRANCISCO - A seri- ous security flaw has been dis- covered in popular e-mail programs published by Microsoft Corp. and Netscape Communica- tions Corp. that would permit a malicious person to send a mes- sage containing a virus that could crash a computer, destroy or even steal data. So far, security tests have shown that the flaw exists in three of the four most popular e- mail programs, used by perhaps tens of millions of people around the world: Microsoft's Outlook Express and Outlook 98 and Netscape's Web browser, Nav- igator, which is part of its Com- municator suite of Internet programs. While Microsoft is providing fixes, the flaw is particularly worrisome in the Microsoft Out- look 98 program, which com- bines e-mail with a scheduler, contact list, notes and other tasks, because this software al- lows an illicit program attached to a piece of e-mail to execute without any activity on the part of the person using the target computer. Most computer vi- ruses can infect a machine only when the user opens an infected file or attempts to run an in- fected program. What is more, Microsoft ad- mitted Tuesday that the first fix that was offered on the compa- ny's Web site, on Monday, does not repair the problem. Anyone who downloaded and installed that fix will have to return to the Web site and download and in- stall the new version. Microsoft reported Tuesday that users of its Outlook Express program, the e-mail software supplied with Windows 95 and Windows 98, would have to open an infected attachment before a malicious program could be exe- cuted. Netscape officials sa~d Tue~- nicator program wo~~III~d also have _ to open a ifie before a virus could activate. The extra danger of the Outlook 98 program is that it al- lows a malicious e-mail attach- ment to execute at the moment the e-mail messag~ arrives at the computer. Microsoft officials said the flaw was present in versions of the Outlook Express shipped with Microsoft Internet Explorer 4.0 or 4.01 on Windows 98, Win- dows 95,. Windows NT 4.0 and Windows NT for DEC Alpha, as well as in versions for Macintosh and UNIX machines. Windows 3.1 and Windows NT 3.51 versions of Internet Ex- plorer are not affected. In all, Microsoft said Tuesday that it had distributed about 2 million copies of the more seri- ously flawed Outlook 98 program and at least a million copies of Outlook Express. Netscape could only report that 70 million copies of its Navigator/Communicator software had been downloaded, but the company could not deter- mine how many people used the browser's built-in e-mail software. Many people use sepa- rate, more sophisticated pro- grams than those shipped with browsers. The most popular of these is Eudora, a mail program pub- lished by the Qualcomm Corp. Security researchers said Eudora was not vulnerable to the prob- lem. Although there is no evidence that any computer virus has been distributed that exploits this newly discovered vulnerabil- ity, security experts say that since word of the flaw leaked on the Internet over the weekend, virus makers are undoubtedly aware of it and will work quickly to take advantage of it. As of Tuesday, Microsoft was already providing "patches," small programs that repair the flaw in e-mail programs in ques- tion for its Windows and NT op- erating system. The company said that fixes for Macintosh and Unix computers will be forth- coming. Microsoft officials said the company's software development group was attempting to deter- mine how the flawed code made _ it into their software. Netscape officials posted a notice about the problem on their Web site Tuesday, noting that the flaw affects only the Windows and Windows NT ver- sions of Navigator, not those dis- tributed for Macintosh or UNIX machines. The company said it would post a patch for its Win- dows and NT versions within two weeks. Neither company has any plans to notify users of the danger and the availability of patches other than the notices.
This PTG archive page provided courtesy of Moy Piano Service, LLC