March 9, 2000 1:00 PM PST
Microsoft security hole bugs Web-based email
The hole could also potentially be used to create more significant system damage, experts say.
The vulnerability, which was just discovered, works by forcing a computer to process a certain sequence of characters. A user could encounter this situation in several instances: when downloading a Web page that has been embedded with malicious code, when opening an email message on Hotmail or some other Web-based email service or simply by typing the code at a DOS prompt. When a computer encounters the sequence of characters and tries to process them, it crashes.
"Basically, if you have a certain combination of certain strings in a file name, it gives the user the blue screen of death," said Elias Levy, chief technical officer at SecurityFocus.com and moderator of the BugTraq mailing list, which has been following the issue for the last week.
Microsoft confirmed the vulnerability, which is a type of "Trojan horse," and said it is working on a patch.
"It is a vulnerability in which Windows 9x machines can be caused to crash," a spokesperson said. "Microsoft is aware of the issue and is developing a patch that will eliminate it."
Microsoft has been afflicted by numerous vulnerabilities in its software, several of them stemming from the fact that Windows 98 and its predecessors were designed to be run by a person with unrestricted access to the computer. Other systems, including Unix, Linux, Windows NT and Windows 2000, make it easier to protect a computer from attackers or bumbling users.
Web-based email has also had its share of security snafus and privacy blunders.
The vulnerability, which Microsoft terms as "obscure," could in reality affect millions of users, analysts say. Although it is unlikely that most Windows users will type in the code at the boot-up prompt (which could cause a crash) it is much more possible that a user could unwittingly open a Web page that includes the malicious sequence.
Or a particular type of email. In the past, a Trojan horse depended upon tricking a user into executing or opening a malicious program or clicking on a malicious Web page. But with the advent of Web-based email programs, such as Microsoft's Hotmail, sending a Trojan horse into action becomes much easier. Web-based email messages are essentially Web pages that reside on a distant server. Opening one of these messages, therefore, can automatically launch an embedded HTML link without the user's permission that contains the sequence.
The vulnerability can also affect people who use standard email programs. Microsoft's Outlook includes a feature that automatically opens, or previews, HTML Web pages without a user actually clicking on the link. In this situation, the automatic opening of the Web page would crash the user's computer. Hotmail has a similar feature.
In addition, Microsoft's Office programs also embed HTML and could open a Web page without a user's consent.
Although Levy is not sure exactly how the bug works, he speculated that it might be a result of problems with how Windows 95 and 98 deal with file names from the older DOS operating system on which Windows 95 and 98 are based.
"It's obviously a bug that is triggered when you open one of the file names and then crashes Windows," said Levy, explaining that the problem is the result of a clash between older DOS file-naming schemes and new Windows-based applications.
"Most of the applications that use Windows don't expect the file names to be special," he said.
On its own, the vulnerability will probably not cause more than annoyance and irritation. Although it has the potential for widespread dissemination by Web-based email, or email servers which save file attachments, the system crashes will most likely not result in any data loss, Levy said. However, the bug could be used in combination with other hacking methods that force a computer reboot as a step in gaining access secure data, Levy warned.
"It's pretty low on the scale of things," Levy said. "But it could be used to leverage other problems."
Until Microsoft comes up with a patch, the company recommends that users be vigilant about opening unknown files and keeping their security settings at the highest level.
"Microsoft always recommends that customers avoid running programs from sources they don't trust," the spokesperson said.
News.com's Stephen Shankland contributed to this report.