HOME
TOPICS
ABOUT ME
MAIL

 
Windows will activate dangerous code even if you do not open or view the mail.
  technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

'Most dangerous' security flaw found in Windows


Aug. 9, 2000

By Al Fasoldt
Copyright ©2000, Al Fasoldt
Copyright ©2000, The Syracuse Newspapers

   Researchers have uncovered a huge Windows Internet security flaw. It could be the biggest threat to Windows users ever.
   Computer security experts discovered the flaw in late July. It's called the "IE Script issue," named for Microsoft's trouble-prone Web browser, Internet Explorer. But it also involves Microsoft Access. Both programs have to be installed on a Windows PC for the problem to surface.
   Representatives of the SANS security institute, an organization of 96,000 computer professionals, said they consider the IE Script flaw "the most dangerous programming error" SANS has yet seen in Windows.
   If your home PC runs Windows and uses any part of Microsoft office, install a security patch as soon as possible. The Web site to go to is listed below.
   If you use Windows at the office, your PC is in even more danger. Send a copy of this article to the people who run your company's computer systems. Windows PCs used in offices are much more likely to have the worrisome combination of Internet Explorer and Access, and office firewalls can't do anything to help.
   The IE Script flaw allows anyone to plant malicious code on a Windows PC through e-mail. The destructive code does not have to be hidden in an attachment and the mail does not even need to be opened for the code to be activated. Even though Microsoft Access needs to be installed for the IE Script flaw to show up, Access does not need to be running. Internet Explorer does not need to be running either, because its basic code is always in use within Windows once IE is installed.
   The programming error that caused this susceptibility is complicated and won't be described here. But you should be aware of the basic problem. Read the next part carefully.
   If your PC has Internet Explorer and Microsoft Access installed, Windows will automatically activate malicious code it finds in an e-mail letter that arrives in an otherwise empty mailbox. You do not need to open the letter, view it in a "preview pane" or even know that it arrived. If the mailbox (or inbox) is empty and the next letter to arrive has malicious code, Windows will activate the code. If other letters have already arrived, Windows won't activate the code immediaterly; it waits until you have viewed or opened each letter.
    This will happen in any Windows mail program that supports HTML mail, not just in Microsoft's own mail software, Outlook and Outlook Express. This is especially bad news for anyone who stopped using Outlook Express, the most common Windows mail program, in favor of non-Microsoft mail programs such as Eudora. According to SANS, if your e-mail software uses the standard Windows method of displaying HTML mail, it is just as vulnerable as Outlook. (The standard Windows method uses Internet Explorer's basic code.)
   Please note the most troubling aspects of this flaw:
   Windows will activate dangerous code even if you do not open or view the mail. Windows runs any code it finds in the first letter to arrive in an otherwise empty mailbox.
   Windows will run the code if you merely preview a letter instead of opening it. Previewing was once considered a safe way of reading mail, but it's clearly just as dangerous as opening the mail.
   All mail software is subject to this security flaw if it uses the standard Windows method of displaying HTML.
   All versions of Internet Explorer from 4.0 to 5.5 are part of the flaw, and all modern versions of Windows (95, 98, 2000 and Windows NT 4.0) are vulnerable.
   Microsoft refers to the flaw, or "exploit," as the "IE Script" problem, but SANS points out that the name Microsoft gave to the programming defect is misleading. The name "implies that if Active Scripting is disabled, the exploit would not work," SANS says. "This is not true. The exploit does not rely on scripting, and therefore disabling scripting has no effect on this exploit."
   This is very bad news for everyone who turned off VBScript in hopes of gaining security in Windows.
   Microsoft knows about the flaw and has a fix for it, as well as fixes for other flaws that the SANS Institute and other security organizations reported recently. Here is Microsoft's official statement on the flaw, along with the company's suggested fix: http://www.microsoft.com/technet/security/bulletin/fq00-049.asp.
   You should also check the main Windows update site every week or so. Go to http://windowsupdate.microsoft.com/.
   SANS also suggests that Outlook and Eudora users change a setting in their software. "Set Outlook Express or Eudora to read e-mail in the Restricted Sites zone and then disable everything in that zone," a SANS advisory says. "Zones" are software settings for restrictions that can be applied in various ways.