SAN MATEO (07/21/2000) - Microsoft Corp. this week found itself fighting a two-front Internet security battle.
The software company patched an ominous security flaw in its Outlook and Outlook Express e-mail software that a malicious hacker could use to corrupt a system merely by sending an e-mail.
Microsoft also addressed a hole in its Internet Explorer (IE) browser that a hacker could use to insert code into the Access database.
Most security holes are exploited after a user opens an e-mail attachment that contains an executable file. But the Outlook buffer overflow bug would eliminate that step, essentially opening up systems that receive a message from an e-mail server.
"Those instructions can go into the Internet and download more code or open doors into the machine," said Elias Levy, CTO of SecurityFocus.com, in San Mateo, Calif., and moderator of the BugTraq service. "The instructions ... are only limited by the imagination of the person sending you the attack and their sophistication."
The security flaw does not affect users of IE 5.5, released two weeks ago, or Explorer 5.01 with Service Pack 1, Microsoft officials said.
SecurityFocus' Levy said buffer overflows are the most common Internet security holes. "Most programs today are written in C and C++, [which] have buffers but do not have bouncers; they leave that task to the programmer. Therefore, buffer overflow is very problematic. Java performs bounce checking and buffer overflows," Levy said.
The IE Script hole, discovered last month by Bulgarian developer Georgi Guninski, could be triggered if a user visits a malicious Webmaster's site or previews an e-mail containing the code, according to the Bethesda, Md.-based System Administration, Networking, and Security (SANS) Institute.
Windows users running Access 97 or 2000 with IE 4.0 or higher are vulnerable, SANS said. Microsoft recommended a password workaround to block unauthorized code from being executed.
Hitting a rough patch
Recent Microsoft security problems include the following.
March 10: Computer hacker exploits Internet Information Server (IIS) software to download and post thousands of credit card numbers onlineMay 10: Hackers discover security loophole that allows Hotmail customers' e-mail to be readMay 12: ActiveX flaw makes Internet Explorer Version 5.0 or MS Office 2000 susceptible to viruses without opening infected attachmentsJuly 5: Vulnerability in IE's Active Setup Download feature could lead to overwritten files and crashed computers through launched DoS (denial of service) attacksMicrosoft flags cookiesMicrosoft plans to offer an update to its Web browser that would allow users to reject third-party cookies.
When first used, the "cookie management" feature will offer a message asking the user whether or not to accept a cookie (a tiny file sent to computers over the Web used by merchants and others to determine users' preferences and Internet histories).
"It's a great example of consumer privacy being taken seriously and managed responsibly in the industry based on consumer input," said Microsoft COO Bob Herbold.
Microsoft's IE browser will allow users to monitor cookies that are sent to their system. The new technology, which went into a limited beta last week, will heighten awareness of cookies as well as explain the difference between cookies sent from a Web site and those that come from third parties.
One industry group, the Washington-based Computer and Communications Industry Association (CCIA), which has been highly critical of Microsoft's practices, questioned the company's motives.
"This looks very much like another effort by Microsoft to utilize its monopoly power in the Internet browser market to establish dominance in an adjacent market, namely the market for personal data and information," CCIA President and CEO Ed Black said in a prepared statement.
Microsoft said it introduced the option in response to feedback from consumers, privacy advocacy groups, and state attorneys general.