A serious security flaw was discovered in Qualcomm Corp.’s popular third-party eMail software, Eudora, by a Massachusetts software company in early August. The flaw was discovered just days after another flaw was exposed in Microsoft’s Outlook Express and Outlook 98 and Netscape’s current web browser, Communicator, touching off extensive security concerns.

School technology directors scrambled to protect their computers from the flaws, which the U.S. Energy Department called “among the most serious security holes ever identified.”

The bugs could put millions of computers at risk, the energy department warned. Gaining access via eMail, hackers could send computer commands that could crash hard drives and mangle data. The problems were thought to pose a special danger to schools, which are seen as attractive targets for hackers. At press time, no instance of such destruction had been reported.

The flaws were discovered in the four programs most widely used to read electronic mail.

“It’s alarming because it affects 99 percent of people on the internet,” said Daniel Janal, author of Risky Business, a primer on protecting your organization from security problems on the internet.

The Eudora flaw, coming right after a different security problem had been discovered in the Microsoft and Netscape programs, alarmed many people because they had downloaded free versions of Eudora to protect their computers until the Microsoft and Netscape programs could be fixed.

Both Microsoft and Netscape posted information about the flaw on their web sites late in July. A week later, when the second flaw was discovered in Eudora, Qualcomm posted information on its site as well.

As news of the problem raced through education circles, school technology directors reacted to the explanations and software patches the companies were offering.

Dale Copps, librarian and technology coordinator for the Wardsboro Elementary School in Vermont, speculated whether Microsoft and Netscape knew about the flaw for longer than they let on. But Copps said he was glad to see Netscape offer an interim solution while the company works to supply a patch.

“If they [Netscape] deliver on a patch by the promised middle of August, and if the patch is effective, I will be satisfied,” Copps said.

The flaws allow any outsider to send a booby-trapped message that could erase a computer’s hard drive or even steal information.

“What’s particularly frightening about these bugs is that, to my knowledge, it’s the first time a virus can be communicated to another computer with no involvement by the receiver,” said Copps.

Normally, eMail alone can’t do any damage to a system unless the user opens an attachment included by the attacker. But the newly discovered security holes make eMail attacks more possible. In some test cases, simply trying to delete the eMail message activated the attack.

The problem with Microsoft’s and Netscape’s software is related to a protocol for attaching documents to an eMail message called Multipurpose Internet Mail Extensions, or MIME. MIME headers tell the eMail software how to treat the attached file. Older eMail software that is not MIME-compliant is not vulnerable to the flaw.

Hackers could exploit the flaw by assigning an exceptionally long file name–longer than 200 characters–to an attachment. If the name is too long, it will overflow the eMail software’s buffer. At that point, any software code contained in the overflow could execute commands on the user’s computer.

The Eudora flaw is a little different. It allows hackers to insert seemingly harmless links in the text of an eMail message. Instead of taking users to a web address, the link would execute a malicious program that could destroy or steal data from a user’s computer.

Eudora
http://eudora.qualcomm.com/

Microsoft Outlook 98 patch
http://support.microsoft.com/support/msfe

Microsoft Outlook Express patch
http://www.microsoft.com/ie/security/oelong.htm

Netscape
http://www.netscape.com

U.S. Energy Department’s Computer Incident Advisory Capability site
http://caic.llnl.gov/caic/bulletins/i-077a.shtml