PREMIUM SEARCH Search by job title, geography and build a list of executive contacts
When a South American team of hackers revealed a major hole in Microsoft's popular Outlook e-mail-client program on July 18, info-tech geeks went ballistic. Online bulletin boards filled up with venomous rants from systems administrators, swearing off Microsoft for the umpteenth time. The cyber-press cast the story as a doomsday scenario, with the entire world Internet grid grinding to a halt. Imagine the horror: E-mail that didn't even have to be opened to wreak havoc.
Microsoft reacted swiftly and posted a patch (MSNBC broke the news of the security flaw -- a bonus synergy, perhaps?). And Underground Security Systems Research, or USSR (www.ussrback.com), which found the flaw, warned the colossus in Redmond before the flawed code was released on security portal SecurityFocus' Bugtraq mailing list (www.securityfocus.com).
Hype? To some extent, but the fracas over the security hole was justified. This was a virus hazard with a significant difference. The Love Bug (and the majority of viruses that have grabbed headlines) required two-clicks -- one for users to download their e-mail and a second to download an attachment file. Of course, that second click might not have been necessary if the e-mail client was configured to open attachments automatically, but most users, one hopes, have disabled that option by now.
ANATOMY OF A FLAW.
But this new Outlook flaw was a one-click problem that would have delivered the malicious code through the e-mail download alone. "The minute you go to pick up your mail, that's when it crashes your system," explains Jim Stickley, chief engineer at computer security firm Garrison Technologies (www.garrison.com). And don't expect this to be the last one-click virus hazard, since computer users increasingly demand one-click access to everything.
Here's a quick anatomy of the Outlook flaw. It involved a so-called buffer-overflow attack. This is one of the most common ways of breaking into or compromising servers: Hackers flood an input field on a Web page or in an e-mail with more characters than programmers had anticipated software would ever need to handle.
Through simple brute force, that overflow of characters can overload a program and cause the whole computer system to crash. Last week's USSR exploit hit an easily accessible input field, the header on e-mail where a mail server automatically registers the date in GMT (Greenwich Meridian Time). "It looks like the library that parses this date field did not check any bounds at all," says Joel Scambray, a managing principal at security consultancy Foundstone (www.foundstone.com) and co-author of the book Hacking Exposed.
TROJAN HORSES.
With no checks on the number of characters that could be inserted, a hacker could dump 1,000 or more characters into that tiny slot. That's a problem not only for some e-mail programs but also for virus-detection schemes, which screen for distinctive computer codes that serve as signatures for attacks. "The reason it's hard for them is that buffer overflows are long strings of data. You can't stop a piece of mail because it has a long piece of data," says Stickley.
For unskilled computer assailants, it's an easy way to deny service to a Web site or to shut down a company's e-mail. But the real danger comes from skillful, malicious hackers: "They will append a small amount of assembly code at the end [of the character string] that will get shoved into the execution pipeline," explains Scambray.
This can trick a computer into inserting unauthorized code into its command stack. With these insertions, hackers can create back doors -- often called Trojan Horses -- into computer systems. Through these back doors, they can later easily slip into a network undetected.
"CLOSE TO IMPOSSIBLE."
Stickley believes that, despite increased scrutiny, buffer overflows aren't going away anytime soon. That's in part because of the pressures from investors and financial markets to rush new computer products, finished or not, out the door. And massive codes just make the task more difficult. "Microsoft is trying. But their code is huge. It's millions and millions of lines of code. Patching all of that is pretty close to impossible," explains Stickley.
And as computer users grow to expect more seamless functionality, problems with one-click virus attacks will likely grow worse. Security professionals are already dealing with this issue in the form of a raft of exposures on Web browsers using Microsoft's Active X scripting language.
But the Web and the desktop are becoming more and more interwoven. Dynamic content, like Java applets or Flash players, is increasingly downloaded onto desktops. And e-mail and browsing are rapidly merging, as HTML-enabled e-mail morphs to include dynamic links to streaming video or sound that don't require the user to leave the e-mail program.
VIRUS NET.
That effectively bridges the gap between an e-mail program and the browser, allowing the ubiquity of e-mail to compromise the myriad security holes of browsers. Adding to the issue is the triumph of Scott McNealy's mantra: The network is the computer. So computer pathogens that can evade detection at the network server level, such as a Web page with an infected Java script, can run amok. "People want dynamism. They want a stock ticker and [audio/video] players that run. But downloaded code is downloaded code. The problem is, most people haven't paid attention to the implications of Active X or Java," says Scambray.
To combat some of these issues, Stickley recommends security products from a company called Finjan (www.finjan.com) that operate on a different principle from traditional firewalls and intrusion-detection services. Finjan's products, says Stickley, effectively wall off many unauthorized executable programs and prevent them from acting on the compromised computer -- much the same way that antibodies surround a bacterial intruder in living tissue.
But Finjan's products have to be running on the user's desktop, an ornery task that requires already strapped network administrators to go through multiple installations and updates for what has traditionally been a server-based process. Furthermore, Finjan can cause conflicts with some software packages.
The upshot? Closely linked software and the demand for one-click functionality will give malicious hackers easy ways to take advantage of ignorant system users. While it's probably not worth forcing everyone to stop using Outlook or Microsoft's Internet Explorer, companies might think about decoupling as best they can the vulnerable parts of some of the most tightly bound software packages.
Salkever writes about security issues for BW Online. Follow his column twice a month, only on BW Online
Copyright 2000 , by The McGraw-Hill Companies Inc. All rights reserved.
Printer-Friendly Version
