The discovery of the so-called "Mime-bug" was ominous and taken most
seriously by Microsoft and Netscape so that corrective measures, called
"patches," could be immediately deployed for their popular programs, Outlook
Express, Outlook and Messenger. It was hoped that aggressive, proactive
announcements would allow programmers to stay one step ahead of "Black
Hat" hackers who delight in widespread electronic destruction for the sheer
fun of it. Not since the apocalyptic predictions that accompanied Y2K concerns,
have I seen a problem taken so seriously by the technology community.
Realize that these security holes are still theoretical at this point,
since there has been no known use of their exploitation by hackers, but
they have been confirmed by research experts. For this reason, industry
analysts worry that the general public might discount the serious nature
of this problem and delay installing corrective patches until it is too
It is, in fact, consumers who should be most concerned about this vulnerability
since potential attacks will be aimed at individual users and could potentially
wipe out an entire hard disk without ever opening the tainted message.
The crux of the problem lies in the mail program's inability to manage
file attachments with names that exceed 200 characters in length. The file
attachment itself may, in fact, be quite benign but it's the attachment
filename in the e-mail header that opens the door to a potential attacker.
Simply highlighting a message in your Inbox, or moving the mouse over
the attachment icon could trigger the fuse.
Microsoft and Netscape are both testing and churning out patches to
address the problem. Microsoft posted its most recent fix for Outlook and
Outlook Express on Aug. 11 at its website, www.microsoft.com/security and
Netscape's latest browser version 4.06 includes the vulnerability fix.
It was originally thought that the flaw only affected Microsoft and
Netscape mail products, but security flaws have now been discovered in
the Eudora e-mail client as well. Like its industry counterparts, Qualcomm
is working on patches and new versions to address the problem.
With so many hoaxes circulating throughout the Internet, it's often
difficult to differentiate between genuine problems and practical jokes.
Just last week I received what appeared to be a legitimate warning from
a colleague advising the dangers of downloading an unsolicited "Bud Frogs"
screen saver. This is, in fact, just a chain letter that's been circulating
throughout the Internet since January 1997 along with other well-known
hoaxes such as the "Good Times Virus" and the "AOL v4.0 Cookie." These
hoaxes are designed to stir up panic and frenzy among online users but
are otherwise innocuous.
The U.S. Department of Energy maintains an excellent website on Internet
hoaxes, including a detailed explanation of each deception as well as a
good history of hoaxes in general. If you believe you've been spammed with
a ruse, visit this website at www.ciac.org/ciac/CIACHoaxes.html
for documentation related to your concern.
While there are many hoaxes on the Internet, the e-mail flaw discovered
in July is legitimate concern that should be taken seriously. You should
know what e-mail client you are using and then contact the manufacturer's
web site for information on download patches. Inoculate yourself now to
prevent unwanted intrusion later by destructive hackers.
* Microsoft -- www.microsoft.com/security
* Eudora -- http://eudora.qualcomm.com/security.html
* Netscape -- www.netscape.com/
* Department of Energy, Computer Incident Advisory Capability -- www.ciac.org/ciac/CIACHoaxes.html