From: David C. Harris (dharris@best.com)
Date: Thu Jul 30 1998 - 01:49:39 MDT
Normally messages about e-mail viruses are indeed hoaxes, but this one is
different. If you have certain e-mail handling programs, including widely
used programs from Microsoft and Netscape, you will be effected by any
e-mail sent to you that is crafted to exploit this vulnerability. In the
process of receiving e-mail that has a special kind of long name for its
MIME attachment, the e-mail receiving program will activate code
(instructions) written by a virus writer. Although there are no reports of
such viruses being sent yet, if you have the wrong kind of e-mail program,
you will be completely vulnerable to the any virus crafted to attack your
program. Security experts expect such e-mail viruses to be sent soon.
I am a computer programmer and had the title Systems Analyst at Syntex, the
pharmaceutical company. I will explain how this class of virus can cause
havoc even without you intentionally running a program, running a Word
macro, or opening an attachment.
If you want to jump straight to the article, or read it yourself, I've
copied it exactly as published on the free Web site of the San Jose Mercury
newspaper, whose URL I include below. I am violating their copyright
because of the gravity of this threat. If in doubt about the authenticity
of my copy of the article, browse the Mercury's site. The Mercury is a
fine source of computer and high tech reporting. I hope they will treat my
transgression as a form of advertising for their Web site and their "scoop"
of this story.
First, not all e-mail programs are at risk: if you are using a Eudora mail
reader, such as Eudora Lite or Eudora Pro, this virus cannot damage your
system. You can read the reassurance at <http://www.eudora.com>, near the
bottom of the long page. But the problem is present in "Microsoft's
Outlook Express and Outlook 98, and Netscape Communications Corp.'s
Messenger Mail, which accompanies versions 4.x of the Communicator Web
browser software. Other e-mail readers may be affected" (quoted from the
article below).
Now, how can just an e-mail be used to attack a computer? The e-mail
reading program stores a piece of text (the name of the MIME attachment in
this case) starting at a particular place in memory, called a "buffer". A
correctly written program checks that the text of the attachment name does
not exceed some length. But in this case, with some very widely used
e-mail programs, the programmers failed to put in the code that prevents a
long name from going past the normal end of the buffer. This was the same
kind of flaw that allowed the infamous "Morris worm" to take control of
UNIX computers years ago, bringing down much of the Internet for a day or so.
So, how does a long name that goes past the normal end of buffer cause
trouble? In these cases there are memory locations beyond the end of the
buffer that the e-mail reading program expects to contain executable code
(instructions to do something normal). But the virus writing "crackers"
(often called "hackers") carefully construct a VERY LONG name so that it
contains bytes of information that fall exactly where the executable code
normally occurs. The "good" instructions of the program get replaced by
bytes from the long name. The particular bytes of information are
transmitted as part of a long name, but because they are placed in a
location that the program "knows" will contain instructions, the bytes are
treated as instructions. The crafty virus writer will choose the bytes to
be ABNORMAL CODE that, when executed, causes the e-mail program to go to
and begin executing malevolent code the virus writer has stored still later
in the actual MIME attachment. That malevolent code can do anything that
the virus writer chooses.
So, because of a failure to prevent buffer overflow, some e-mail programs
are vulnerable to such subversion of their normal activities. These
failures to block buffer overflow are rare, and becoming rarer as
programmers become more aware of this class of threats. But apparently
such failures ("bugs") are present today in some e-mail programs. Security
experts detected the problem first, but because some people might leak the
news to virus writers, the security experts have publicized the problem and
programmers are developing patches and new versions of the e-mail programs
to eliminate the overflow possibility.
So what should you do? If you are using one of the defective mail reading
programs, check the Web site of the creators, who will post patches and
instructions soon. They understand the virulence of the threat. Don't
delay, because what I explained here is common knowledge among virus
writers, and they may exploit these buffer overflow defects very soon.
Take this virus scare seriously. You may want to download a free copy of
Eudora Light or purchase the full featured (and quite good) Eudora e-mail
program. Eudora's programmers protected their buffer and deserve the extra
business that may come their way.
Hopefully, the security experts and authorities will be watching for "spam"
that includes these very long, carefully constructed, MIME attachment
names. And hopefully they will find the sender(s) of such virus e-mail and
prosecute them for damage done. And hopefully both Microsoft and Netscape
programmers will be more careful in the future. But for now, if you are
using certain e-mail programs, you are at risk.
- David C. Harris
Palo Alto, California
-------- [The article begins here.] ------------------------------------
Published Wednesday, July 29, 1998, in the San Jose Mercury News
[For 7 more days the archived article will be available online at the
source: <http://www.mercurycenter.com/premium/business/docs/SECURE29.htm>]
U.S. issues alert over e-mail flaw
Emergency bulletin calls problem extremely serious
BY DAVID L. WILSON
Mercury News Staff Writer
The U.S. Energy Department's computer security team confirmed Tuesday that
a significant security flaw exists in three of the most popular e-mail
programs around that, left unrepaired, could have catastrophic consequences
and urged users to repair or replace the software.
Corporate technology managers spent Tuesday frantically scrambling for more
information about the flaw, which was first reported in the Mercury News.
And users found it difficult to find the correct patches for the the
security hole.
Software companies initially provided little additional technical
information about the problem and no real fixes. Microsoft Corp., for
example, offered patches that were determined to be ineffective and were
subsequently withdrawn.
The flaw, which allows an outsider to send a booby-trapped e-mail message
capable of executing commands on the user's computer --- anything from
sending out thousands of e-mails in the user's name to erasing the hard
drive --- exists in some of the most popular software in the world:
Microsoft's Outlook Express and Outlook 98, and Netscape Communications
Corp.'s Messenger Mail, which accompanies versions 4.x of the Communicator
Web browser software. Other e-mail readers may be affected, but most
researchers now believe that another commonly used program, Qualcomm
Corp.'s Eudora, is safe. The flaw can be exploited on the most common
computer operating systems.
The Computer Incident Advisory Capability, the Energy Department's team,
headquartered at the Lawrence Livermore National Laboratory, declared in an
emergency bulletin that the situation is extremely serious: ``We base this
assessment on the ease with which the vulnerability can be exploited, the
widespread use of the vulnerable e-mail/news readers and the potential for
doing serious damage to a computer.''
Microsoft attempted to post patches for the hole in its products Monday,
but technical problems kept most users from getting to them. Then the
company discovered that the first set of patches didn't work. Anybody who
downloaded the first set of patches is urged by the company to download
them again, probably later this week. Alternatively, users can download a
free copy of Eudora Light until a patched version of their favorite e-mail
program is available.
Some users believed the story was incorrect because it is so similar to a
well-known Internet hoax called the Good Times virus. Typically, a user
gets an e-mail warning them to delete any e-mail with the subject ``Good
Times'' because, if opened, the Good Times e-mail will reformat the hard
drive. The warning message urges the recipient to ``send this to all your
friends,'' creating a flood of unnecessary e-mail and chewing up system
resources.
Normally, e-mail alone can't do any damage to a system. But attackers can
attach a file that's essentially a program to an e-mail message. If a user
runs that program, it could do damage to the system, which is why system
administrators warn users to avoid opening attachments from strangers.
But this latest flaw can be triggered in some cases without even opening
the booby-trapped e-mail.
The problem can be exploited by assigning an exceptionally long file name
--- sometimes hundreds of characters --- to an attachment. If the name is
too long, it will overflow the e-mail program's buffer. At that point, any
software code contained in that overflow can sometimes execute commands on
the user's computer.
The problem is related to MIME capabilities, or Multipurpose Internet Mail
Extensions, which let e-mailers work with items besides text. MIME headers
tell the e-mail software how to treat the file. Older e-mail software that
is not MIME-compliant is not vulnerable to the hole.
While no one believes this flaw has been exploited outside the laboratories
where it's been researched for the past month, experts are urging users and
computer system administrators to repair their systems as quickly as
possible, on the assumption that ``black hat'' hackers will soon be
exploiting the problem.
``I'm just scared that somebody is going to spam the world with this.
Soon.'' said William J. Orvis, a security specialist with CIAC.
Computer system administrators around the world are studying the situation,
trying to see what needs to be done.
``We don't normally comment on our internal systems, for security
reasons,'' said Lew Wagner, senior manager of the corporate information
security department at networking giant Cisco Systems Inc. Wagner, however,
said the standard e-mail package used inside Cisco is not affected by the
problem, adding there could be some people within the organization who are
using something else.
``We're trying to make sure our 14,000 employees are not using any
unauthorized applications,'' he said.
----------------------------------------------------------------------------
----
This archive was generated by hypermail 2.1.5 : Fri Nov 01 2002 - 14:49:24 MST