top.gif - 25.77 K

E-Mail Security: Protect Your Data

From AIDS Treatment News

sadcomputer.gif - 11.19 KIn the last month, serious email security flaws which could affect millions of users have been discovered and publicized. AIDS organizations particularly should pay attention because of the need to maintain confidentiality of client information. If not corrected, these flaws could allow an email message to run a hidden program which could steal email addresses or other confidential information, and/or destroy all data on hard disks running on the computer. Experts are worried because there are millions of computers with the defective software, and many of them will not be fixed.

eudora.gif - 6.94 KAccording to reports in the San Jose Mercury News, The New York Times, and the software publishers' Web sites listed below, the programs affected are:

  • Eudora Pro for windows, but only the new versions 4.0, 4.0.1, and some 4.1;

    microsoft.jpg - 7.07 K

  • Microsoft Outlook 98 and Microsoft Outlook Express 4.x (including Outlook Express 4.1 on the Macintosh and the Solaris);

    netscape.gif - 1.18 K

  • Netscape Communicator for windows, versions 4.01, 4.05, and 4.5 Preview Release 1.

    There may also be similar problems in other software. The recent discoveries have led to an intensive search.

    If you are running email software that may be affected, make sure that important data is backed up so that it will not be lost if all data on the hard disks is destroyed. Also, the companies involved are providing instructions on how to fix their software; sometimes a temporary fix is as easy as turning off an option, and sometimes a patch or an upgrade is required (but only use a patch or upgrade from a trusted source--not one which arrives unsolicited by email). Check the following Web sites:

  • For Eudora Pro 4.0, 4.0.1, or 4.1: http://eudora.qualcomm.com/security.html;

  • For Microsoft Outlook 98 and Microsoft Outlook Express 4.x: http://www.microsoft.com/ie/security;

  • For Netscape Communicator: http://www.netscape.com.

    Comment

    Some computer users may be reluctant to believe these warnings, because they sound like email security hoaxes which have been distributed like chain letters on the Internet. But this report was first published July 28 on page 1 of the San Jose Mercury News--probably the best general newspaper in the country for coverage of the computer industry. The New York Times picked it up two days later; and a team at the U.S. Department of Energy called the problem extremely serious. (The Eudora flaw is somewhat different from the others and was discovered later; it affects only a minority of users.)

    In some cases it might not even be necessary to open the malicious email; just receiving it may be enough. A sophisticated program which searched target computers for email addresses and used them to replicate itself could affect millions of users very rapidly, and existing anti- virus software would not protect against it. As of mid-August we have not heard of any malicious use of these security flaws; but that could change quickly now that the vulnerability is widely known.

    Older email programs are not likely to be affected, because each email message is only a text which is displayed; no matter what the content, it cannot run any program. New software often allows email messages to do more than just display a text--creating a trade-off of convenience vs. security.

    Since AIDS Treatment News does not use any of the software known to be affected, we could not easily test the fixes provided at the above Web sites. Unfortunately the software industry is notorious for poor usability and maintainability of its products. If you cannot get the provided instructions to work, other options are to wait until a software upgrade is available, or switch at least temporarily to a different email program.


    • © 1997-98 BEI