Experts Warn E-Mail Security Flaw Should be Taken Seriously
Posted July 28, 1998 7:00 a.m. EDT
RALEIGH — If you use some of the most popular Internet-based e-mail programs, your data could be at risk. Internet security experts have found a flaw in mail programs by Microsoft and Netscape. Some are saying this is the most serious security problem in a decade.
The problem is very serious. However, there have been no reports of hackers using what theSecure Programming Groupin Finland calls a "gaping hole" to break into systems.
Still, Microsoft, Netscape and businesses are taking this issue seriously. WRAL's Tom Lawrence says you should too -- to protect e-mail on your home computer.
Experts call it an overflow buffer problem. You get a "system memory problem" message or the familiar "illegal operation" message. The problem exists in Microsoft's Outlook 98 and Outlook Express and in Netscape's Communicator mail and news readers.
"Currently there's no known individuals that have been affected by this problem directly but it is possible, although difficult, for somebody to be malicious with the 'gaping hole' as it were, " explains Bud Howard, of Broadreach Consulting.
Howard says the problem is not a virus, but a flaw in the software that can, in the worst case, re-format your hard drive.
"With this problem you don't have to open the mail message or the attachment in order to be affected by this. And in many cases the e-mail package has a preview that is actually opening the e-mail for you ahead of you actually getting to it."
You can protect yourself by backing up your files regularly, don't open attachments, disable preview panes and get the patch as soon as possible.
You can get help by visiting the Microsoft's website. They have a fix already available for the problem. Netscape Communicator's patch is on the way.
The Department of Energy's Computer Incident Advisory Capability says the wide distribution of these programs and the potential for damage make this a very serious problem.
Older e-mail programs and Eudora don't appear to be vulnerable because they don't use MIME or Multipurpose Internet Mail Extensions.