REDMOND, Wash., July 29, 1998 — Microsoft Corp. was notified by AUSCERT ( http://www.auscert.org.au/), OUSPG ( http://www.oulu.fi/ ) and NT Bugtraq ( http://ntbugtraq.ntadvice.com/ ) of a security vulnerability affecting e-mail software. Customers using e-mail packages including the Microsoft® Outlook
98 messaging and collaboration client and Microsoft Outlook Express are vulnerable if targeted by malicious hackers. Microsoft has worked quickly to alert customers of the issues.
Microsoft takes security very seriously, and is committed to ensuring that all its customers enjoy a rich, safe and secure computing experience. Microsoft developers have been working around the clock to isolate and deal with these issues.
The issue centers on how e-mail software handles file attachments with extremely long file names. When users attempt to download, open or launch a file attachment that has a name containing more than a certain number of characters, their action can cause the program to shut down unexpectedly. It is possible – although difficult – for a hacker to cause malicious code to be executed on a computer as a result of this problem.
To date, no customers have been affected by this loophole. But Microsoft acknowledges that this is an extremely important and serious issue, and is working quickly to provide a comprehensive fix.
Microsoft posted a software update on Monday (information on the update can be found at http://www.microsoft.com/security
/bulletins/ms98-008.asp ) that protects customers against the potential problem involving file attachments with extremely long names. Microsoft strongly recommends that customers using Microsoft Outlook 98 or Microsoft Outlook Express 4.x (part of Internet Explorer) immediately apply the appropriate update. To ensure customer safety with regard to this and other security-related issues, Microsoft is investigating further to uncover variants that the current patch may not block. Microsoft will communicate additional information about this research as it becomes available.
Notification was posted to the Microsoft Security Advisor Web site ( http://www.microsoft.com/security/ ) and has also been sent to the Microsoft Security Notification listserver (to which anyone can subscribe: more information is available at http://www.microsoft.com/security/ ), as well as to the Computer Emergency Response Team (CERT), an industry security organization based at Carnegie Mellon University, which distributes and coordinates security information to users.
Microsoft is also working proactively and broadly to communicate with customers affected by this issue. The company will continue to keep its customers informed, and recommends that customers visit http://www.microsoft.com/security/ for the latest information and updates.
Microsoft and Outlook are registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.
Other product and company names herein may be trademarks of their respective owners.
Note to editors: If you are interested in viewing additional information on Microsoft, please visit the Microsoft Web page at http://www.microsoft.com/presspass/ on Microsoft’s corporate information page.