Let's Get This Straight: The great e-mail scare

Published August 3, 1998 7:00PM (EDT)

| The news spread like a, well, virus: Both Microsoft's and Netscape's e-mail programs harbor a potentially deadly security flaw! If users of these programs -- Microsoft Outlook and Outlook Express and Netscape's Messenger -- aren't careful, their hard drives could be erased!

Has anyone's hard drive been erased? Uh, no. In fact, there is no evidence anywhere of anyone actually attempting to exploit this newly exposed security flaw for malicious (or any other) ends -- aside from the efforts of the Finnish researchers who first identified the problem, and the engineers at Microsoft and Netscape who are now working overtime to repair it.

Of course, now that the story has been on the front page of newspapers across the country, that could well change. Still, somehow the news seems a lot less dire when you realize that harm from the security hole remains strictly potential.

Let's review the details: For years, computer security experts have told us that dangerous computer viruses can't infect our systems via e-mail -- as long as we just read the e-mail and don't actually run any code or activate any programs that arrive as attachments to the e-mail message. Recently, so-called macro viruses have emerged that infect Microsoft Word documents; by opening these documents, you can activate such a virus -- so at this point, it's a good idea not to read any Word documents that arrive as attachments from strangers, either.

But a plain-text e-mail message that can melt down your system? That's not for real; it's a hoax like the notorious Good Times virus -- an e-mail that warned users not to read any e-mail messages from an America Online address labeled "good times" because it could fry their hard drives. The bogus warning is still probably rattling around somewhere on the Net.

The first reports of the new security hole in Microsoft's and Netscape's e-mail readers suggested that suddenly everything had changed -- and just downloading an e-mail message could, at least theoretically, trigger a dangerous virus. The trouble stems from how these programs handle abnormally long names for file attachments they receive. A well-behaved, carefully written program would simply truncate a longer-than-expected name; but various versions of Microsoft's and Netscape's programs instead load the longer name into memory, overloading the "buffer" or memory space allocated to the name and spilling over into adjacent areas of the computer's memory.

So what? Well, if a malicious programmer packed this extra-long file name with executable program code rather than harmless file-name information, you'd be in trouble. When word of the specific nature of the security flaw got out on the Net, experienced programmers rolled their eyes: This particular "buffer overflow" goof is a classic coding error (something similar lay behind the infamous "Internet worm" that brought the Net to its knees in 1988). For leading software vendors like Microsoft and Netscape to have made this mistake today is appalling.

So has everything changed? Do we all need to worry that every e-mail message we receive may be a bomb ready to level our systems? Of course not. For starters, those of us who use older, and in many ways better, e-mail programs -- like the beloved Eudora -- don't need to worry. If you do use one of the affected programs, you'll soon be able to get a patch to fix it (Microsoft information is here, and Netscape's is here). Until you've installed a patch, just delete any incoming messages with suspicious attachments -- before you even look at the file name -- and tell the sender that you'll be happy to read his or her message in plain text in the body of the e-mail. And while you're waiting for the patch, it can't hurt to maintain a good, up-to-date backup of your most important data, just in case. But you do that already, right?

None of this is fun, and some of it is quite alarming, but it's still pretty far from the nightmare scenarios of total Internet chaos that some of the news coverage has painted. In stories of this kind, the hypothetical "coulds" of computer security experts ("this could become a widespread problem") shade quickly into the dire certainties of news headlines and leads -- like the San Francisco Examiner front-page story that referred to a "malicious bug."

The Examiner wrote: "The bug, called the 'long file' or 'name' e-mail bug, works by way of e-mail attachments and can erase files on a hard drive, crash a computer and wreak general havoc on a desktop. Worse, the user doesn't even have to open the e-mail message for the destructive program to take hold." Instead of making clear that the security flaw simply opens the door to hypothetical "destructive programs" that don't yet seem to exist, the story's fuzzy wording makes it sound like the "bug" itself causes crashes and lost files.

Until actual malice surfaces somewhere and computers start to go down, the real story here isn't so much one of cyber-terrorism but of plain old bad programming. As Russ Cooper, who maintains the NTBugTraq mailing list (where the security flaw was first publicized) puts it on his Web site: "Two of the largest distributors of Internet software, strong competitors against each other with a strong belief in the uniqueness of their products, have independently, simultaneously, tripped over the same 40-year-old programming mistake in exactly the same place!"

The best coverage of this story -- like John Markoff's follow-up in the New York Times -- focused on the roots of the security flaw in the nature of popular programming languages like C and C++, and the accelerated product cycle of today's Internet-driven software business. Put the two together and badly written, ill-protected programs are almost an inevitability.

That's scary enough. But there's an important difference between telling people that "The Internet is a scary place full of people trying to sabotage your computer," which is still what comes across through much news coverage of this kind of story, and saying that "Internet software companies are doing a lousy job of protecting you from the rare jerk who might try to sabotage your computer."

The first message incites people to either agitate for futile new laws against Net crime or to stay offline. The second motivates them to get mad at bad products and the companies that sell them. On his NTBugTraq site, Cooper is calling for "a mechanism for software recalls," "independent testing of software products that provide the equivalent of an Underwriter's Laboratory seal of approval," and changes in the nature of software licensing that would allow users in some circumstances to sue developers for problems stemming from bad code.

Those are good suggestions, worth a wider debate. Something tells me that would be a lot more interesting than another round of "The hackers are coming! The hackers are coming!"

By Scott Rosenberg

Salon co-founder Scott Rosenberg is director of MediaBugs.org. He is the author of "Say Everything" and Dreaming in Code and blogs at Wordyard.com.

MORE FROM Scott Rosenberg

Related Topics ------------------------------------------