From: crispen@NETSQUIRREL.COM
Reply-To: TOURBUS-Request@LISTSERV.AOL.COM
To: TOURBUS@LISTSERV.AOL.COM
Subject: TOURBUS -- 30 JULY 1998 -- EMAIL VULNERABILITIES IN MICROSOFT              OUTLOOK AND NETSCAPE MESSENGER

This post contains inline ASCII graphics that look best in a monospace
font like Courier. Text-to-speech readers should turn off punctuation
now.
   ___________ ____________ _______ __________ _____________ ___ _
  /           |           /        |          |             /   | \
 |       HEY, | RIDE THE / BUS AND | SURF FOR | FREE!      /    |  \
 |____________|_________/__________|__________|___________/     |   \
/                                                        /______|----\
|  SURFREE.COM (surf-free-dot-com) n. 1. A Nationwide    |//////|    |
| Provider of unlimited Net access for $14.95 / month.   |//////|    |
| 2. An opportunity for AOL users to save $84 annually.  |//////|    |
| 3. A fast, reliable means of riding Tourbus & surfing  |//////|    |
| the Web. See also: EASY, 56K access, 24/7 tech support |//////|    |
|      >>> http://www.tourbus.com/surfree.cgi <<<        |//////|    |
\________________________________________________________|______|____|
/   \ /   \                                                 /   \
\___/ \___/    T h e  I n t e r n e t  T o u r B u s        \___/

TODAY'S TOURBUS TOPIC:  EMAIL VULNERABILITIES IN OUTLOOK AND MESSENGER

We have a bunch to talk about today, so let's pay some bills and get
this latest journey of our little bus of Internet happiness underway.
Don't forget to visit today's sponsors to thank them for keeping
TOURBUS on the road week after week.  :)

+------------------ FREE Virtual Greeting Cards ---------------------+
Over 600 exciting Cards! They sing! They Dance! All occasions. See
all four panels of your card. Opens just like a real greeting card.
Beautiful animations.. 100%, absolutely FREE! Send a card now!
+----------------- http://www.greetingsonline.com -------------------+

-------------> SAVE MONEY!  SAVE MONEY!  SAVE MONEY! <---------------
         Refill your inkjet printer. Black ink: $21.95/pint.
               Color: $23.95/pint.  Call 1-888-728-2465
                         or visit our Website
           Here!
-------------> http://www.oddparts.com/ink/tour.htm <---------------

On with the show ...

According to reports first published in the San Jose Mercury News and
confirmed yesterday by the United State's Department of Energy's
Computer Incident Advisory Capability team (CIAC) at the Lawrence
Livermore National Laboratory, Microsoft Outlook, Microsoft Outlook
Express, and Netscape Messenger all contain serious flaws that could
potentially damage your computer.  The CIAC bulletin warns that
Outlook, Outlook Express, and Messenger all contain a "buffer overflow
vulnerability" that

     allows an e-mail or news message to contain malicious code in a
     mime header.  That code is executed when the header is processed
     by the e-mail/news reader ...

     If exploited, this vulnerability allows a remote user to run
     arbitrary code on a user's machine with the user's privileges.
     The remotely executed code could do anything from sending
     thousands of e-mails in the user's name to formatting the hard
     drive.

     [quoted from http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml]

Here is what all of this means in English.  If you have used a
computer for a while, you know that computer file names can only be so
long.  For example, in DOS the longest file name allowed is only 11
characters long (a maximum of eight characters for the filename and
three for the file extension).  If all of this confuses you, look at
the following:

     FILENAME           EXT        WILL DOS ACCEPT THIS FILE NAME?
     12345678           123
     ----------------------------------------------------------------
     ROADMAP            TXT        Yes.
     BATCH              C          Yes.
     TOURBUSRULES       DUDE       No.  Both the filename and file
                                   extension are too long.

Newer platforms like Windows 95 and 98 allow much longer file names
(256 characters, I think), but the important point here is computer
file names can only be so long.

What happens if a computer file name is longer than the computer
normally allows?  Usually, the computer just burps and throws up an
error message.  In Outlook, Outlook Express, and Messenger, however,
the computer does something entirely different.

Let us say someone sends you a program attached to an email message
and the program's file name is

     ROADMAP.TXTFORMAT_THE_HARD_DRIVE_AND_DO_OTHER_NASTY_STUFF

Let us also assume that we are still living in the DOS world, so the
eleven character file name limits we discussed earlier are still in
effect.  Clearly, the file name for our little attachment is MUCH
longer than eleven characters.

According to the CIAC,

     In the vulnerable readers, the headers [or, in this case, the
     file names of attached files] are read into memory and processed
     without checking their length.  When the length of the header is
     longer than one of the buffers in memory where it is stored
     during processing, data in the header that falls beyond the end
     of the buffer overwrites other code and data in memory.  This
     overwriting is the classic "buffer overflow" condition.  If the
     overwritten piece of memory is part of the running program, the
     code from the header in the overwritten part is executed in place
     of the program's code.

     [quoted from http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml]

In other words, in our DOS-world example, the computer could read the
file name "ROADMAP.TXTFORMAT_THE_HARD_DRIVE_AND_DO_OTHER_NASTY_STUFF"
as

     ROADMAP.TXT
     FORMAT_THE_HARD_DIVE_AND_DO_OTHER_NASTY_STUFF

and could possibly: 1) think that second line is a command; and 2)
execute that command.

This example is pretty simplistic (in the real world the file names
would have to be over 200 characters long before a buffer overflow
would occur), but it should give you a better idea of what the problem
is.  It is also important to note that while the buffer overflow
problem in Outlook, Outlook Express, and Messenger has the potential
to cause damage to a person's computer, there have been no reports
yet of anyone exploiting this vulnerability for malicious purposes.

Still, many people could be affected by this buffer overflow problem:

     People who use a version of Outlook Express that shipped with
     Microsoft Internet Explorer 4.0 or 4.01 on Windows 98, Windows
     95, Windows NT 4.0, Windows NT for DEC Alpha, Macintosh, or UNIX.
     Windows 3.1 and Windows NT 3.51 versions of Internet Explorer are
     *NOT* affected by this issue.  For information on how to fix the
     buffer overflow problem in Outlook Express, go to
     http://www.microsoft.com/ie/security/oelong.htm

     People who installed Outlook '98 using the Internet Mail Only
     (IMO) installation or the Internet E-mail service in the
     Corporate or Workgroup (CW) installation.  For information on how
     to fix the buffer overflow problem in Outlook '98, go to
     http://support.microsoft.com/support/downloads/LNP499.asp
     and then click on the "More Information" link beneath the
     "OUTPATCH.EXE: Microsoft Outlook 98 Security Patch" paragraph.

     People who use the mail and news components of Netscape
     Communicator 4.0 through 4.05 on Windows 3.1, 95, 98, and NT.
     Also vulnerable are people who use the mail and news components
     of Netscape Communicator 4.5 Preview Release 1 on Windows 95, 98,
     and NT.  For more information on how to deal with the buffer
     overflow problem in Netscape Messenger (Mail), go to
     http://home.netscape.com/products/security/resources/bugs/longfile.html

If you use *ANY* other email program you do not need to worry.  The
buffer overflow problem apparently does not (and will not) affect you.
This is an important point, so I will say it again.  Unless you use
Microsoft Outlook, Microsoft Outlook Express, or Netscape Messenger
(also known as "Netscape Mail"), you do not have to worry about the
buffer overflow problem.  It does *NOT* affect you or your email
program.

I also want to share with you something that the CIAC mentioned in its
most recent bulletin

     While at first glance this appears to [be] the Good_Times hoax
     come to life (see http://ciac.llnl.gov/ciac/
     CIACHoaxes.html#goodtimes) this is not really the case.
     Good_Times was supposed to run itself on any system that
     downloaded and read the Good_Times message.  This mime name
     vulnerability is caused by improperly handled mime headers in a
     few versions of some very popular e-mail/news readers.  By
     replacing the vulnerable readers with properly patched versions,
     this vulnerability is eliminated.

In other words, despite the media's recent cries that this buffer
overflow problem is proof the "email sky" is falling, the world of
email is still extremely safe.  The problems with Outlook, Outlook
Express, and Messenger are simply an example of poor programming.
Microsoft's and Netscape's programming errors aside, you still can not
get a virus or Trojan Horse from simply reading an email letter with
your eyes, regardless of that letter's subject line.  Anyone who tells
you otherwise is either misinformed or is lying.

For more information on this issue, visit the CIAC's most recent
bulletin on the buffer overflow problem at

     http://ciac.llnl.gov/ciac/bulletins/i-077a.shtml

Actually, you might want to also check

     http://ciac.llnl.gov/cgi-bin/index/bulletins?i

to see if the CIAC has release any new bulletins on this issue (the
latest bulletin is I-077a).

Since the San Jose Mercury News was the first news organization to
report this story, you might want to check out David Wilson's article
"U.S. issues alert over e-mail flaw"

     http://www.sjmercury.com/business/tech/docs/security072998.htm

I'm only guessing here, but I'd be willing to bet that the folks at
the San Jose Mercury News will continue to follow this story closely
and will post regular updates in their Good Morning Silicon Valley
section at

     http://www.sjmercury.com/gmsv/gmsv_morning.shtml

and in their business "tech wire" section at

     http://www.sjmercury.com/business/tech/

For more information on the Mercury News, see the 25 June 1998 or 21
May 1998 TOURBUS posts at .  For
more information on the CIAC, see the 19 March 1998 TOURBUS post at
the same address.

... and yes, you have my permission to forward today's post to your
friends.  All I ask in return is that you forward *ALL* of today's
post -- ads, Southern Words, subscription info, everything.  And if
you include a plug telling your friends they *have* to subscribe to
TOURBUS because it is so cool, I promise I'll be your new best
friend.  :P

--------------------------------
TODAY'S SOUTHERN WORD OF THE DAY
--------------------------------

DALE (noun). A brand of computer.
USAGE: "Bubba, juhere that Patrick Crispen just got hisself a
Dale 'puter?"

[Special thanks goes to Benton Levengood for today's wurd]

You can find all of the old Southern Words of the day at
http://netsquirrel.com/crispen/word.html


=====================[ TOURBUS Rider Information ]===================
   The Internet TOURBUS - U.S. Library of Congress ISSN #1094-2238
      Copyright 1995-98, Rankin & Crispen - All rights reserved
            Archives on the Web at http://www.TOURBUS.com
=====================================================================

            .~~~.  ))
  (\__/)  .'     )  ))       Patrick Douglas Crispen
  /o o  \/     .~
{o_,    \    {      **NEW** crispen@netsquirrel.com **NEW**
   / ,  , )    \           http://www.netsquirrel.com/
   `~  '-' \    } ))
  _(    (   )_.'               Warning: squirrels.
'---..{____}
TOURBUS
HOME PAGE
LINUX
TUTORIAL
TOURBUS
ARCHIVES
, viruses, hoaxes, urban legends, search engines, cookies, cool sites
TOURBUS Site Search