A new method for attacking computers connected to the Internet allows vandals to take control of a PC simply by sending it an email.
The vulnerability in Microsoft's Outlook email program has widespread implications: Until now, victims had to willingly open an email attachment, or at least view a specially formed email message, to be attacked.
Now, a computer vandal could conceivably take control of thousands of computers with a single mass email. Intruders can have their way with a target machine once it begins to download the ill-formed message.
The vulnerability was discovered about a month ago by a South American security research team known as Underground Security Systems Research, or USSR Labs. MSNBC.com learned of the flaw 11 June, but agreed to not publish the information until Microsoft had a chance to supply a fix. However, an individual sent details of the bug to a security mailing list this morning. Microsoft did not respond to repeated phone calls.
A spokesperson for USSR Labs told MSNBC.com that the group has been able to add malicious code to email headers that executes as soon as the target computer begins to download the email.
According to a Microsoft draft security bulletin obtained from USSR Labs, Microsoft acknowledges the flaw, and indicates home users would be at the greatest risk. But the company also says the bug will impact few corporate users. Specifically, corporations running Outlook in "corporate and workgroup mode" are not at risk; those running in "Internet-only mode" are.
The only defence against the vulnerability is installing the Microsoft patch, which will be available shortly on the Microsoft.com security Web site. "This vulnerability can affect a user even if the user follows what would normally be safe computing practices such as installing the Outlook Security Update and using the Security Zones feature to manage the security of his or her mail client," Microsoft wrote in draft of its bulletin.
Since an attacker could have their way with a victimised computer, several alarming scenarios are possible. A single email could instruct the computer to delete every file on its hard drive, for example. It could also instruct the computer to copy sensitive information from the victim and email it back to the attacker.
The vulnerability could have unnerving privacy implications as well. For example, a spam advertiser could send an email that would automatically launch Internet Explorer and direct it to the company's Web site.
As written, this vulnerability is not self-replicating, like the ILOVEYOU computer worm, which spread around the world in under 12 hours earlier this year. To exploit this problem, an attacker would have to deliberately send a specially-formed malicious email to a victim. A virus writer could use this code to create a dangerous self-replicating worm.
According to Russ Cooper, who watches Microsoft flaws closely as administrator of the NTBugTraq mailing list, the vulnerability is a major problem.
"I would say this problem is huge. It's the 'Good Times virus' come true. If you heard about this, you would call it a hoax," Cooper said, referring to an old computer myth that a single email could destroy a victim's computer. "Here we have the chance of people hearing 'The reason your hard drive was reformatted was because you received that email."
Since sample code exists, Cooper expects copycats to begin writing malicious emails fairly soon. There is one mitigating factor -- since the flaw does not impact most corporate users, and home users are generally a less interesting target, that might limit computer vandal interest in the problem. Corporate users normally have more sensitive, valuable information stored on their computers.
Concerns raised again about MS The spokesperson for USSR Labs said he felt Microsoft acted quickly to try to patch the hole in this case, but is still concerned that the company doesn't take security seriously enough.
"I think it appears it's more important for companies to make software and sell it," he said. "If they have problems later they will fix it."
The sample code released today could be altered and used by computer vandals. USSR Labs has not yet released its version, but a spokesperson said the group would when Microsoft releases its fix. He said sample code is an essential part of the process when unearthing a computer bug.
"It is the only way to make software companies pay attention," he said.
An independent discoverer published the same vulnerability this morning on the "Bugtraq" security mailing list. According to the researcher, identified as Aaron Drew in the email, the bug involves jamming too much data into the date field in the header of an email. But unlike USSR, Drew believes some user interaction is required to initiate an attack. According to his note, Outlook Express users need to open a mail folder containing a malicious email to become vulnerable. Outlook users need to preview, read, reply or forward a malicious email to become vulnerable.
"This type of vulnerability lends itself for targeted attacks on individuals via their email address," said Elias Levy, who monitors the Bugtraq list. "(It) also lends itself to the creation of a new email worm ... You can grasp the gravity of the problem."
Take me to the Virus Workshop