Important note: Information in this article was accurate in 1998. The state of the art may have changed since the publication date.
 |
AIDS TREATMENT NEWS Issue #301, August 21, 1998
John S. James
According to reports in the SAN JOSE MERCURY NEWS, THE NEW YORK TIMES, and the software publishers' Web sites listed below, the programs affected are:
* Eudora Pro for windows, but only the new versions 4.0, 4.0.1, and some 4.1;
* Microsoft Outlook 98 and Microsoft Outlook Express 4.x (including Outlook Express 4.1 on the Macintosh and the Solaris);
* Netscape Communicator for windows, versions 4.01, 4.05, and 4.5 Preview Release 1.
There may also be similar problems in other software. The recent discoveries have led to an intensive search.
If you are running email software that may be affected, make sure that important data is backed up so that it will not be lost if all data on the hard disks is destroyed. Also, the companies involved are providing instructions on how to fix their software; sometimes a temporary fix is as easy as turning off an option, and sometimes a patch or an upgrade is required (but only use a patch or upgrade from a trusted source--not one which arrives unsolicited by email). Check the following Web sites:
* For Eudora Pro 4.0, 4.0.1, or 4.1: http://eudora.qualcomm.com/security.html;
* For Microsoft Outlook 98 and Microsoft Outlook Express 4.x: http://www.microsoft.com/ie/security;
* For Netscape Communicator: http://www.netscape.com.
Comment
Some computer users may be reluctant to believe these warnings, because they sound like email security hoaxes which have been distributed like chain letters on the Internet. But this report was first published July 28 on page 1 of the SAN JOSE MERCURY NEWS--probably the best general newspaper in the country for coverage of the computer industry. THE NEW YORK TIMES picked it up two days later; and a team at the U.S. Department of Energy called the problem extremely serious. (The Eudora flaw is somewhat different from the others and was discovered later; it affects only a minority of users.)
In some cases it might not even be necessary to open the malicious email; just receiving it may be enough. A sophisticated program which searched target computers for email addresses and used them to replicate itself could affect millions of users very rapidly, and existing anti- virus software would not protect against it. As of mid-August we have not heard of any malicious use of these security flaws; but that could change quickly now that the vulnerability is widely known.
Older email programs are not likely to be affected, because each email message is only a text which is displayed; no matter what the content, it cannot run any program. New software often allows email messages to do more than just display a text--creating a trade-off of convenience vs. security.
Since AIDS TREATMENT NEWS does not use any of the software known to be affected, we could not easily test the fixes provided at the above Web sites. Unfortunately the software industry is notorious for poor usability and maintainability of its products. If you cannot get the provided instructions to work, other options are to wait until a software upgrade is available, or switch at least temporarily to a different email program.
980821
ATN30109
Copyright © 1998 - AIDS Treatment News. Permission granted for noncommercial reproduction, provided that our address and phone number are included if more than short quotations are used. Subscription lists are kept confidential. AIDS Treatment News, Subscription and Editorial Office: 1233 Locust St., 5th floor Philadelphia, PA 19107 800/TREAT-1-2 toll-free email: aidsnews@critpath.org http://www.aidsnews.org
Subscription Information: Call 800/TREAT-1-2: Businesses, Institutions, Professionals: $270/year. Includes early delivery of an extra copy by email. Nonprofit organizations: $135/year. Includes early delivery of an extra copy by email. Individuals: $120/year, or $70 for six months. Special discount for persons with financial difficulties: $54/year, or $30 for six months. If you cannot afford a subscription, please write or call. Outside North, Central, or South America, add air mail postage: $20/year, $10 for six months. Back issues available. Fax subscriptions, bulk rates, and multiple subscriptions are available; contact our office for details. Please send U.S. funds: personal check or bank draft, international postal money order, or travelers checks. VISA, Mastercard, and purchase orders also accepted. ISSN # 1052-4207
AEGiS is made possible through unrestricted grants from Boehringer Ingelheim, the National Library of Medicine, and donations from users like you. Always watch for outdated information. This article first appeared in 1998. This material is designed to support, not replace, the relationship that exists between you and your doctor.
AEGiS presents published material, reprinted with permission and neither endorses nor opposes any material. All information contained on this website, including information relating to health conditions, products, and treatments, is for informational purposes only. It is often presented in summary or aggregate form. It is not meant to be a substitute for the advice provided by your own physician or other medical professionals. Always discuss treatment options with a doctor who specializes in treating HIV.
Copyright ©1980, 1998. AEGiS. All materials appearing on AEGiS are protected by copyright as a collective work or compilation under U.S. copyright and other laws and are the property of AEGiS, or the party credited as the provider of the content. .