X-Priority: 2 (High) Date: Mon, 10 Aug 1998 15:49:59 -0400 To: csr@smash.gatech.edu, snag@gt.ed.net, information-technology@oit.gatech.edu From: Ray Spalding Subject: GT/IRSC ALERT: Security Flaws in Popular E-Mail Programs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ INFORMATION TECHNOLOGY SECURITY ALERT Georgia Institute of Technology Information Resources Security Coordinator Alert number 98-06 (1998-08-10) Subject: Security Flaws in Popular E-Mail Programs ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ AFFECTED: Microsoft Outlook 98 Windows 95, 98, and NT 4.0 Microsoft Outlook Express 4.x Windows, Solaris, and Macintosh Netscape Communicator 4.0 through 4.05 and 4.5 Preview 1 Mail and News components Windows 3.1, 95, 98, and NT Eudora Pro 4.0 and 4.0.1 Windows 95, 98, and NT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ACTION REQUIRED: YES Update software as indicated by the following: Microsoft: http://www.microsoft.com/security/bulletins/ms98-008.asp Netscape: http://home.netscape.com/products/security/resources/bugs/longfile.html Eudora: http://eudora.qualcomm.com/security.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ DETAILS: Security flaws were found recently in the most popular E-mail client programs: Microsoft Outlook, Netscape Communicator, and Eudora Pro. This affects the vast majority of PC users worldwide. Experts urge all users of the affected programs to update as soon as possible. The Microsoft and Netscape flaws are similar, involving attachments with very long filenames (greater than 200 characters). Eudora was found to be not vulnerable to this problem, but to another problem involving hidden executable programs in attachments. Additional information is available at: ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-98.02.Outlook.buffer.overflow http://www.ciac.org/ciac/bulletins/i-077b.shtml http://www.ciac.org/ciac/MIMEfaq.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Reminder: The Georgia Tech Information Resources Security home page is at http://www.itis.gatech.edu/security/