Microsoft Corp. (Nasdaq: MSFT) is scrambling to keep users from being affected by the latest security flaw in its software, an opening that could allow malicious users to take over other computers.
The flaw in Microsoft Outlook and Outlook Express software was discovered by two separate researchers, one in Australia and the other in South America. To date, no one has reported being affected, Microsoft officials said.
The company acknowledged the flaw and issued a bulletin at its security site, saying it would make patches available to eliminate the vulnerability for those users who do not want to go through an entire upgrade.
“Clearly, this is a serious vulnerability,” a Microsoft security manager told the Associated Press.
Safe Computing Not Enough
Unlike past e-mail viruses, users do not have to open attachments — or even the e-mail itself — to become infected, so that even recommended “safe computing” methods are useless.
“The vulnerability would be exploited when the mail was being retrieved from the server, that is, before it even appeared in your inbox,” Microsoft explained on its security site.
The opening could allow a malicious user to plant code in the e-mail, with two possible consequences, one more serious than the other. The first possibility is that the hacker could cause Outlook or Outlook Express to fail. Much worse, the attacker could send code that would be executed on the recipient’s computer and in essence, the malicious user could take over the computer. The sender could reformat the hard drive, change data or communicate with external sites.
New Browser Versions
The latest lapse is called a “buffer overrun” vulnerability, in which the attacker floods a field with more characters than it can handle. It is the most common type of breach, according to security experts.
“Buffer overflows have been the most common form of security vulnerability for the past 10 years,” a research paper by the Oregon Graduate Institute of Science and Technology states. According to the paper, “Because these kinds of attacks enable anyone to take total control of a host, they represent one of the most serious classes of security threats.”
For those not wanting to use patches, Microsoft said the new version of its Internet Explorer browser, Internet Explorer 5.01 Service pack, available for free download at Microsoft’s Web site, will eliminate the problem. A default installation of Internet Explorer 5.5 will rid the problem for all users other than those using Windows 2000, according to the company.
Four Fixes in Two Years
The flaw follows earlier security holes that have prompted criticism of Microsoft’s programmers. Critics charge they are lax in security measures and that Microsoft’s Outlook software is particularly vulnerable to malicious users.
Microsoft has issued patches four times in the last two years for “buffer overrun” bugs. After the Love Bug virus wreaked havoc via e-mail on millions of computers in early May, the Stages virus affected corporate networks and some home users in June.