The buzz on the bug
How does the e-mail security bug affect Solaris users?
For those unfamiliar with the issue, this e-mail bug is a security hole that allows outsiders to send a hand-grenade-like e-mail attachment. Once opened, the e-mail can destructively erase a computer's hard drive.
Microsoft says this bug affects people who use a version of Outlook Express that shipped with Microsoft Internet Explorer 4.0 or 4.01 on Windows 98, Windows 95, Windows NT 4.0, Windows NT for DEC Alpha, Macintosh, or Unix. Windows 3.1 and Windows NT 3.51 versions of Internet Explorer are not affected by the bug, according to Microsoft.
Netscape has confirmed that the security issue affects the mail and news components of Communicator for the following versions and platforms: Netscape Communicator 4.0 through 4.05 on Windows 3.1, 95, 98, and NT platforms and Netscape Communicator 4.5 Preview Release 1 on Windows 95, 98, and NT platforms.
Netscape believes the following mail and news component versions are not affected: Netscape Communicator 4.0 through 4.05 on Macintosh and Unix platforms, Netscape Communicator 4.5 Preview Release 1 on Macintosh and Unix platforms, and Netscape Navigator 2.x and 3.x on all platforms.
This mean that the only Sun-related product currently endangered by the bug is Microsoft Outlook Express for Solaris. But as one source said, given the intense solidarity most Solaris users feel against Microsoft, it's unlikely that the number of individuals who have mingled Microsoft and Solaris on their machines is exceedingly high.
A spokesperson from Microsoft says there is not yet a patch available for users of its Outlook Express for Solaris product. "While users should be aware of this issue, it is important to note that it does not affect normal e-mail usage and can only be disruptive if a malicious hacker violates a user's system," says the spokesperson. "Microsoft has not received any reports of customers being affected by this problem. To date, it has only been used demonstratively and is very difficult to implement."
Laakso and Takanen are employed by Finland's Oulu University. They, along with Juha Roning, form a triumvirate known as Oulu University's Secure Programming Group.
Laakso and Takanen discovered the security flaw last month. Laakso is reticent to disclose information about the security hole. "We, as OUSPG, have not made any public statement about the significance of the bug," he says. "It is our job to stick to hardcore and verified facts." He also says he doesn't want to escalate the seriousness of this problem by speculating.
Eugene H. Spafford, director of Purdue University's Center for Education and Research in Information Assurance and Security, describes Laakso and Takanen's process of discovery: "The group in Finland [OUSPG] decided to do some work in code analysis. They decided to pick something that is very widely used, so they chose e-mail."
Spafford says the group used some standard attack methods, and "much to their surprise after just a few tests they discovered this problem with [Microsoft] Outlook." He says they tried the tests against Netscape Communicator and discovered that it had a very similar kind of flaw. "It wasn't something that was terribly complicated or long-standing, and they discovered it with a fairly simple set of tests."
Due to his team's involvement with security, Laakso believes that "statements regarding the bug are better made by the vendors, security organizations, and independent experts, because they are better channels for the impact evaluation."
Microsoft says don't panic
"Microsoft does not want consumers to panic -- we have not heard of any users who have been affected by this issue, but we're working hard to resolve this situation immediately," says the Microsoft spokesperson.
"We're gonna learn from this," says Chris Saito, group product manager for Communicator at Netscape. "The good news is that the bug does not exist on Sun or Macintosh; for Communicator users it's not an issue."
Saito says Netscape does have a workaround. "If you see a suspicious message with a long file name, don't click on the file menu. You can read the message and save it to the hard drive; just don't click on the file menu." Microsoft's workaround is the same: "Users should avoid downloading long file names," says Microsoft's spokesperson. "Save the e-mail to your hard drive first."
A source close to the bug discovery is critical of Microsoft: "It is sad that the customer has to suffer the impact. Customer pressure is not high enough on security measures. So [Microsoft] cannot spend money on security testing when there is no real market demand for it."
Spafford says, "The problem is one that the keeps popping up in Solaris too. For some reason, despite more than 30 years worth of experience, vendors keep writing code that allows buffer overflows, and producing code that has known weakness. That is bad practice."
According to Spafford, this is negligence on the part of all the vendors involved who don't test their products rigorously. "[They] allow programmers to produce products with well-known and documented flaws, and then the product gets shipped out to customers in this flawed state."
Companies such as Sun, Microsoft, and Netscape need to start paying attention to issues of quality and security and putting more research into their products, says Spafford. "They need to be reviewing existing code, training programmers to be more precise, and reviewing the code for security flaws. They need to be doing better testing of code that's been documented in the literature."
Netscape's Saito says, "We do a lot of testing. We care deeply about quality and security. We've told people what the workaround entails. Bugs do occur."
According to Saito, Netscape believes it has a very secure product. "We put our source code on the Internet. That allows people to find bugs like this. The proof that [Communicator] is secure is that it [finding of the bug] came out of a lab setting, not from a hacker."
Saito says Netscape hopes to post its bug fixes next week.
Says Spafford, "Most vendors appear to believe that simply posting something on a Web site is sufficient notice for fixing the flaw. But not everybody subscribes to newsgroups. What if [users] don't happen to notice that?"
If you have technical problems with this magazine, contact firstname.lastname@example.org