Advances in Web technology cause e
mail client problems:
Hidden executables can trash disks
By Jon Cornetto and Matthew Nelson
HE OUTBREAK O
f messaging client vulnerabilities has put e
mail security on the minds of many. But while vendors rush to fix exi
problems (see chart), the trend for e
mail vendors to add HTML support to their client products is resulting in more holes.
The problem stems from technologies for embedding executables inside HTML documents, creating Dynamic HTML (DHTML).
kers have provided security controls for DHTML, but it opens up a Pandora's box of security issues when combined with
enabled mail clients.
"I have a lot of control from within my browser, such as Web proxies, but in mail... I have nowhere near the sa
me security," said Russ Cooper,
moderator of the NT
BugTraq mailing list.
The latest versions of Netscape's Communicator, Microsoft Outlook, and Qualcomm's Eudora, which make up the lion's share of e
in use, all accept HTML
process that is analogous to delivering a Web page to the user's hard drive.
"Once you've fetched an HTML e
mail off the server, it is a local file. Your e
mail acts like a browser, executing a local file" said Shimon
Gruper, chief technology officer at e
Safe technologies, a Seattle
based Internet protection provider.
run locally once the
user opens the message, Gruper said. And if t
he script is malicious, it could reformat a hard drive or install a virus. A user might not even know
that a program was running at all, as could be the case with the recently reported Back Orifice hacker tool.
This Trojan Horse is intended to allow remote
users to gain complete access to Windows 95 or Windows 98 systems over the Internet. Created
by a hacker group called The Cult of the Dead Cow, it contains only 120KB of data and has the ability to run invisibly.
Outlook and Outlook Express use Trident, M
icrosoft's HTML viewer for e
mail clients. Trident has the same security resources that exist
within Internet Explorer, said Karan Khanna, product manager for Windows NT at Microsoft.
According to analysts, the problem is that once the message is in a user
box, it is in what Microsoft products consider a safe "Zone," and
the script would run if called upon within the HTML.
This hole is also the underlying cause of a bug in Qualcomm's Eudora client. This allows e
mail to be sent to Eudora users with a m
executable attachment that is camouflaged to resemble a URL.
Eudora also uses Trident to view HTML e
mails, and Qualcomm advised that users turn off that extension to prevent scripts from running
within the client.
As for Communicator, Edith Gong,
Netscape Communicator product manager, said it was unlikely that users could be affected by an embedded
script, but she could provide no more details.
Microsoft Corp., in Redmond Wash., is at http://www.microsoft .corn. Qualcomm Inc., in San Diego is at h
Netscape Communications Corp., in Mountain View, Calif., is at http://home.netscape.com.
AUGUST 17, 1998 INFOWORLD 13