Security Issue with Email Attachments
A recent CIAC security advisory identifies a potentially dangerous flaw involving email clients processing MIME attachments with unusually long file names (more than 200 characters). The problem, primarily affecting Windows versions of Microsoft Outlook, Outlook Express, and Netscape Messenger, could cause a buffer overflow which could crash the email client or (apparently) cause code to be executed on the client’s system, even if the user does not attempt to open the attachment or even the message itself. Microsoft and Netscape have both issued security advisories for their products, along with patches for the Windows versions of their software.
Historically, the primary way to take advantage of a buffer overflow is to craft the precise binary data that will get past the target program’s bounds checking, then somehow cause that data to be executed as if it were code. No information is available about how that might happen with an email client; however, it’s extremely likely that code would have to be platform or processor-specific. So, a Macintosh would probably be immune to any message designed to exploit this problem on an Intel-based machine. It’s important to note that, to date, there are no known instances of this code-execution vulnerability being exploited. (However, there’s nothing new about email programs crashing while processing badly formatted messages.)
Qualcomm confirms that current versions of Eudora Pro and Light for Macintosh and Windows are not susceptible to this problem; according to Netscape, no Macintosh versions of Netscape mail software are compromised. As of this writing, the only Macintosh email client reported to be vulnerable is Microsoft Outlook Express, version 4.0 and version 4.0.1 with build numbers less than 297 (choose About Outlook Express from the Apple menu to see the build number of your program.) Microsoft says a patch for the Mac version of Outlook Express will be available 30-Jul-98.