Mail bug buzzes Mac

MacWeek, August 3, 1998 by Wendy J. Mattson, John Batteiger

Microsoft Corp. and Netscape Communications Corp. last week rushed to patch a security loophole in their e-mail software that allows malicious code to be sent via mail attachments. Meanwhile, several other makers of Mac e-mail software said their products are immune to the flaw.

According to a U.S. Department of Energy Computer Incident Advisory Capability bulletin posted last week, the problem lies in the way some mail clients handle name tags for MIME (Multipurpose Internet Mail Extension) enclosures. The bulletin said if an e-mail message contained an attachment with a very long file name, and if that attachment contained malicious code, the client could process the message improperly and allow the code to execute on an unknowing user's computer (see www.ciac.org/ciac/bulletins/i-077a.shtml).

The problem affects both Mac and Windows versions of Microsoft's Outlook Express 4.x and Outlook 98, but apparently does not affect the Mac version of Netscape's e-mail software.

Microsoft last week posted a patch for Mac users but later said that fix was incomplete. The company is asking users of its Outlook Express e-mail program to download a second patch when it becomes available. Information can be found at www.microsoft.com/ie/security/oelong.htm.

Julie Herendeen, Netscape director of client product marketing, said, "Currently we've only found the problem on the Windows platform, not on the Macintosh." Windows users with Version 4.0 and higher of the e-mail software in Netscape Communicator are affected, Herendeen said.

Netscape said information on the flaw and a work-around for Windows users of its e-mail client can be found at http://home.netscape.com- /products/security/resources/bugs/longfile.html.

A complete fix will be included in an update to Netscape Communicator, Version 4.06, which will be released Aug. 7, the company said.

Several other makers of Mac e-mail clients, including Qualcomm Inc., CE Software Inc., Apple and CTM Development, said their products are not affected.

Matt Parks, product manager for the Eudora e-mail package from San Diego-based Qualcomm, said last week that Qualcomm engineers tested the software, "and we don't have a problem."

CE Software last week said its QuickMail Pro, QuickMail Office and QuickMail LAN products are not affected. Apple said it does not believe its Emailer software is susceptible to the flaw.

Rich Siegel, president of Bare Bones Software Inc. in Bedford, Mass., said the company had come up with a test case that could crash its e-mail client, Mailsmith, with certain MIME messages. "However, it is simply a crash of the application, and does not present a security risk of the type described in the [Energy Department's] bulletin," Siegel said. He said the company has fixed the bug, and the update will be included in the next version of Mailsmith.

Joanna Pearlstein contributed to this report.