Wednesday, May 31 2000

E-mail virus info 'stolen'

30.05.2000 - By GREGG WYCHERLEY An Auckland software developer who found a security flaw in Microsoft's e-mail software that he believes could secretly unleash a "hell virus" says files on his discovery have been stolen from his computer.

Phil Saleh, creative director of Arabesque Multimedia - who has a back-up of his find - discovered the flaw in Microsoft's Outlook Express program while designing Java script software that automatically activates computer functions.

"We discovered we could write a program that will activate any type of executable file on a computer through e-mail," says Mr Saleh.

"Which means if we have your e-mail address we can control your computer - or attach a virus which could automatically send itself to every name in your address book without you even being aware of it.

"Using what I have found out, I could make a virus much worse than the 'I love you' bug because you wouldn't have the option of deleting the e-mail carrying the virus before it infected your computer - it would activate automatically whether you read the message or not."

Mr Saleh alerted Microsoft's Security Response Centre in Redmond, Washington, but it said it could not find any "security vulnerability."

He e-mailed Government departments both in New Zealand and overseas, even contacting the US Central Intelligence Agency. No one replied.

Somebody must have been interested, however. Two weeks ago Mr Saleh's computer was hacked and all the files relating to his discovery stolen, though he does maintain a back-up.

"My computer had been acting strangely, then I noticed the missing files. The only other way they could disappear like that would be for someone to break in here and delete the files off my computer."

He didn't bother going to the police because there was nothing he could show them. "I think someone has been watching what I've been doing and broken into my system to see what I know."

He is concerned hackers could work out how to use the program flaw to create a "hell virus."

Computer forensics consultant John Thackray, director of Thackray Forensics, who works with the police on computer crime, studied Mr Saleh's findings.

"Even in this relatively harmless form this is a virus that would be very unwelcome on anybody's system. If it was compiled with malicious intent it could do catastrophic damage."

He said it was different to recent viruses like the "I love you" bug because it could infect computers without the user having any delete option.

Mr Thackray said Microsoft, which had so far refused to acknowledge any security breach, should take Mr Saleh's claims seriously. "Anyone who says this is not a security concern would be very naive. Mr Saleh has made Microsoft aware of it and if they don't take it seriously that's their problem."

Mr Thackray had the virus scanned by Trendmicro.com, one of the top virus checking systems. The scan was unable to detect it.

One person who experienced the effects was Marie-Dominque Lennan, a business acquaintance of Mr Saleh who had her computer disabled by an e-mail.

"I got an e-mail message from Phil Saleh which completely froze my computer. It started opening up windows, then it opened the Arabesque Website. Even after shutting down the system it was still there. Mr Saleh had to send me another e-mail which let me control my computer again."

Security experts spoken to by the Herald acknowledged the feasibility of Mr Saleh's claims, and said they would be intrigued to see what he had discovered.

But Microsoft's security response centre e-mailed Mr Saleh to say it had run his program and had not encountered any breach.

Mr Saleh is disappointed in their response.

"I have demonstrated this to a lot of experts, who all say it works. I can't understand why Microsoft don't believe me.

"I am willing to prove what I say any time they ask."

Microsoft New Zealand spokeswoman Carolle Leishman said the company never received the original warning message he said he sent.

"We have no record of any communication with Mr Saleh until now. We still need to verify the situation and our security response team will investigate and evaluate it."

PC users concerned about the threat have a simple solution: turn off the Java Script feature, which can be disabled from "Internet Options" in "Control Panel."

* This is an updated version of a story from earlier today in which we stated that John Thackray "was not aware of any police operation dealing with viruses but would investigate Mr Saleh's discovery."

http://www.nzherald.co.nz/storydisplay.cfm?storyID=138622&thesection=technology&thesubsection=general

-- Martin Thompson (mthom1927@aol.com), May 30, 2000

Answers

Thursday, June 01 2000 Microsoft hits back over claim of 'hell virus' risk

31.05.2000 - By GREGG WYCHERLEY Microsoft says there are no problems with its e-mail software, even as computer experts have come out in support of an Auckland software designer who says its e-mail programs are dangerously flawed.

Phil Saleh, creative director of Arabesque Multimedia, says he has discovered a security flaw in Microsoft's Outlook Express program that could allow hackers to create devastating new "hell viruses."

Microsoft New Zealand's technical marketing manager, Craig Dewar, said the program was not flawed and users could protect themselves by activating the "Restricted sites zone" found in the "Tools" menu of Outlook by selecting "Options" then "Security."

The setting does not stop the Java Script viruses Mr Saleh warns of, but does let the user choose whether to allow the Java Script to run.

But there are also indications that Microsoft is still analysing the problem. Mr Saleh received an e-mail yesterday from the Microsoft Security Response Unit in California requesting more details of the flaw he had discovered.

"Our technical staff here have not yet been able to reproduce the full scope of effects and problems that you described ... I would like to encourage you to forward any additional sample code that would help speed our analysis," said the e-mail.

Mr Saleh was willing to provide more details but could not understand why Microsoft still would not acknowledge the problem. Mr Dewar did acknowledge, however, that Microsoft was working on ways to improve e- mail program security.

"We are releasing a security patch that is designed to lock down 'I Love You' style viruses. It will also change the configuration to close this loophole."

Mr Dewar could not say when the security patch would be released. But computer forensics expert John Thackray did not accept Microsoft's explanation.

"Most people do not know how to use these security functions; it is a flaw in the system."

The function also disabled many of the capabilities Microsoft used in advertising to market the program

http://www.nzherald.co.nz/storydisplay.cfm?storyID=138738

-- Martin Thompson (mthom1927@aol.com), May 31, 2000.