FRAMINGHAM (07/21/2000) - News this week of a new hole in Microsoft Corp.'s Outlook e-mail client software illustrates why sometimes even following safe security practices may not be protection enough for enterprises, analysts said.
The so-called buffer overrun vulnerability - initially discovered by an Argentinian security firm - allows a cracker to launch an attack that can proceed without the victim doing anything to trigger it.
All an attacker has to do to exploit the weakness is send an e-mail that, when downloaded from a mail server, could either crash the victim's system or cause malicious code to be run on it, said Russ Cooper, editor of Lindsay, Ontario-based NTBugtraq, a popular online security bulletin board.
Such code could then potentially let malicious attackers take any action on the victim's computer, including reformatting the hard drive, communicating with an external Web site or changing data on the computer, warned a Microsoft advisory.
An Upgrade Work-Around
Microsoft said users could work around the problem by doing a full-version upgrade of their Web browser software either to Internet Explorer 5.5 or Service Pack 1 of IE 5.01.
Windows 2000 users with IE 5.5 will need to uninstall the software and reinstall the IE 5.01 service pack, the company added. A Microsoft spokeswoman said the company is working on a stand-alone patch that would eliminate the problem for users who choose not to do full-version browser upgrades.
Exploiting the weakness requires considerable skill on the part of the attacker, and not all Outlook users are affected, analysts said.
What made the hole so dangerous is that the vulnerability occurs when e-mail is being downloaded from the server, said Jesper Johansson, an assistant professor at Boston University and editor of the SANS Windows Security Digest.
Recipients don't need to open the mail - or even preview it - for the vulnerability to be exploited, Johansson said. "You don't have to go anywhere.
. . . I can send you an e-mail and it blows up your system," he said.
As a result, even following recommended safety practices - such as not opening attachments from unknown sources or disabling e-mail scripting functionality - would be of little help, analysts said.
Virus-scanning software that looks for malicious code in hard drives would be of little use either, since the vulnerability occurs before the mail is fully downloaded.
Similarly, filtering technologies designed to block e-mail attachments wouldn't work because with this hole crackers don't need attachments to smuggle in malicious code, analysts said.
News of last week's buffer overflow problem came less than a week after Microsoft posted a work-around for what analysts described as an equally dangerous hole in Microsoft's Access database management software.
The so-called IE script hole let crackers embed and execute malicious Visual Basic code in Microsoft's Access database management software via IE.
As with the buffer overflow problem, users could be compromised simply by visiting a rogue Web site or by previewing e-mail containing malicious code.