Is Email No Longer Safe to Read?
By Lincoln D. Stein
Every few months the "Good Times Virus" scare rears its ugly head. For a few hours there's a flurry of panicky emails from naive users in my organization who've received an email warning them that a lethal email message with the subject line "Good Times" is wandering the Internet, erasing the hard disk of anyone who opens the letter to read it. I have always been able to assure people that this message is just a hoax and that opening an email message can't possibly do anything dangerous to one's system. Until recently, that is.
This summer has seen the development of a new type of Internet threat -- the email bomb. Like real letter bombs, the electronic variety appears perfectly innocent until you open it or try to view an attachment. Then, if you have one of the several susceptible email readers, the bomb explodes, crashing your system, stealing personal data, altering system security files, or even -- as the Good Times hoax purports to do -- wiping your hard disk clean. Nobody has been attacked by such a bomb yet, and email reader vendors are patching their software as quickly as possible to avoid the eventuality. However, the widespread distribution of vulnerable systems, which include the email readers built in to recent versions of Netscape Navigator, Internet Explorer, and Eudora, combined with the ease of creating such bombs, means that it's only a matter of time before some innocent user is harmed.
Rumblings on the Horizon
The first problems appeared late last July when two Finnish computer scientists, Ari Takanen and Marko Laakso, discovered static buffer overflow bugs in both Microsoft Outlook Express (version 4.7
