Scramble to plug gaps in software

By STAFF REPORTERS and AGENCIES

Microsoft is scrambling to close a security gap that leaves millions of home computers vulnerable to e-mail viruses.

The gap in Microsoft's Outlook e-mail program is "a serious vulnerability," say company executives, and software will soon be available to fix the problem. The company also says that users of its latest web browser, Internet Explorer 5.5 (or IE 5.01 plus Service Release 1) are not affected by the security problem.

A virus embedded in an innocent-looking e-mail could slip through the gap even though the e-mail is not opened. That would make computers hugely vulnerable to contamination since most viruses such as the destructive Melissa or Love Bug are carried in visible attachments which are triggered on opening.

So far, there have been no reports in New Zealand of viruses using the gap. Ihug yesterday put an alert on its website warning of the problem.

Microsoft New Zealand spokeswoman Carol Leishman said anyone with concerns should ring Microsoft Service or check the company's website.

The company has issued technical information - known as a "work-around" - on how to fix the problem and released a security "patch" which can be downloaded from its website.

A Microsoft security bulletin says a malicious user could exploit the gap, known as the "malformed e-mail header" vulnerability, to send an e-mail which could cause Outlook or Outlook Express to fail.

More seriously, it could include computer code written by the hacker to start corrupting the victim's computer. That could include reformatting the hard drive, triggering other e-mails and changing or wiping software.

Business computer networks are not vulnerable.

The gap was discovered last month by a South American internet security company, USSR (Underground Security Systems Research), and it alerted Microsoft.

The software giant worked on ways to fix the problem before alerting the public, so no hacker could cause damage with the knowledge.

But news leaked on to the net and Microsoft was forced to release details this week.

Affected software versions include Outlook Express 4.0, 4.01, 5.0, 5.01 and Outlook 97, 98 and 2000.

Ryan Russell, moderator of Bugtraq, a popular security bulletin board, said the hole gave people the ability to access a victim's hard drive. "That is about as serious as it gets."

The information security group System Administration, Networking and Security Institute said the hole was a dangerous program error because it allowed "crackers" to take full control of another computer.

Auckland software designer Phil Saleh was not surprised by the news. In May, the Herald reported that he believed he had discovered a loophole in the same Outlook Express program that could allow hackers to control a computer through an e-mail or introduce dangerous viruses.

Microsoft denies Mr Saleh's claims, despite independent verification last month from IT security company E-Secure IT.

But Mr Saleh said: "It looks very similar to the vulnerability I warned them about months ago, but they refused to accept there was any problem."

Arjen de Landgraaf, director of E-Secure IT (a division of Co-Logic), said that although the technology involved with the latest flaw was different, the result was the ultimately the same.

"We have discovered similar flaws and forwarded them to Microsoft. They always play the problem down."

Microsoft security bulletin

Microsoft Services (NZ):

Tel: 0800 800 004

Auckland: (09) 357 5576