CeePrompt! Computer Connection

Originally published Monday, August 24, 1998 

Outfoxing evil 'black hatters'

After just settling in to a much- anticipated vacation, I learned I had no repellent for a virulent insect that could be mounting a deadly attack. Is there no rest for the weary? It was headline news as researchers from Finland announced the discovery of a serious flaw in the world's most popular e-mail programs that could lead to the destruction of millions of PC and Mac systems, if exploited by evil hackers. This is no hoax.

The discovery of the so-called "Mime-bug" was ominous and taken most seriously by Microsoft and Netscape so that corrective measures, called "patches," could be immediately deployed for their popular programs, Outlook Express, Outlook and Messenger. It was hoped that aggressive, proactive announcements would allow programmers to stay one step ahead of "Black Hat" hackers who delight in widespread electronic destruction for the sheer fun of it. Not since the apocalyptic predictions that accompanied Y2K concerns, have I seen a problem taken so seriously by the technology community.

Realize that these security holes are still theoretical at this point, since there has been no known use of their exploitation by hackers, but they have been confirmed by research experts. For this reason, industry analysts worry that the general public might discount the serious nature of this problem and delay installing corrective patches until it is too late.

It is, in fact, consumers who should be most concerned about this vulnerability since potential attacks will be aimed at individual users and could potentially wipe out an entire hard disk without ever opening the tainted message.

The crux of the problem lies in the mail program's inability to manage file attachments with names that exceed 200 characters in length. The file attachment itself may, in fact, be quite benign but it's the attachment filename in the e-mail header that opens the door to a potential attacker.

Simply highlighting a message in your Inbox, or moving the mouse over the attachment icon could trigger the fuse.

Microsoft and Netscape are both testing and churning out patches to address the problem. Microsoft posted its most recent fix for Outlook and Outlook Express on Aug. 11 at its website, www.microsoft.com/security and Netscape's latest browser version 4.06 includes the vulnerability fix.

It was originally thought that the flaw only affected Microsoft and Netscape mail products, but security flaws have now been discovered in the Eudora e-mail client as well. Like its industry counterparts, Qualcomm is working on patches and new versions to address the problem.

With so many hoaxes circulating throughout the Internet, it's often difficult to differentiate between genuine problems and practical jokes.

Just last week I received what appeared to be a legitimate warning from a colleague advising the dangers of downloading an unsolicited "Bud Frogs" screen saver. This is, in fact, just a chain letter that's been circulating throughout the Internet since January 1997 along with other well-known hoaxes such as the "Good Times Virus" and the "AOL v4.0 Cookie." These hoaxes are designed to stir up panic and frenzy among online users but are otherwise innocuous.

The U.S. Department of Energy maintains an excellent website on Internet hoaxes, including a detailed explanation of each deception as well as a good history of hoaxes in general. If you believe you've been spammed with a ruse, visit this website at www.ciac.org/ciac/CIACHoaxes.html for documentation related to your concern.

While there are many hoaxes on the Internet, the e-mail flaw discovered in July is legitimate concern that should be taken seriously. You should know what e-mail client you are using and then contact the manufacturer's web site for information on download patches. Inoculate yourself now to prevent unwanted intrusion later by destructive hackers. 

Where to patch your PC

* University of Finland -- www.oulu.fi/topics/other/mimebug.html

* Microsoft -- www.microsoft.com/security

* Eudora -- http://eudora.qualcomm.com/security.html

* Netscape -- www.netscape.com/

* Department of Energy, Computer Incident Advisory Capability -- www.ciac.org/ciac/CIACHoaxes.html

Cathi Schuler owns a computer literacy training/consulting company, Cee Prompt! She is a co-author of computer textbooks and can be reached by e-mail at cschuler@uop.edu or cschuler@ceeprompt.com or by mail c/o The Record, P.O. Box 900, Stockton, CA 95201. She is on the Internet at http://www.ceeprompt.com Past columns are available here