Monday, Aug. 10, 1998

Bugs Of Summer

By JOSHUA QUITTNER

The first casualty of the browser war isn't Netscape or Microsoft--it's us. The two software companies have been releasing revisions to their Internet browsers at a hellish pace, leapfrogging each other with new features so quickly that the things aren't adequately debugged. And now we learn that for the past year, their free e-mail programs have contained a dangerous defect that allows any bad guy to send e-mail that can crash your computer. (It's so easy, even I can do it.)

In more sophisticated--and malicious--hands, the defect can be used to insert a "Trojan horse," a program that can stealthily take over your PC and, for instance, grab your passwords. More than 17 million PCs have the affected versions of Microsoft's Outlook 98 and Outlook Express and Netscape's Communicator.

You'd think Microsoft and Netscape would immediately recall their programs. Instead, both companies are trying to market their way out of this debacle. Microsoft points out that if you've updated to Windows 98, a corrective patch can automatically be delivered to your computer over the Net. If you don't have Windows 98, the company's unspoken message is: Buy it. You can also download the patch manually from the Web, however, without paying Microsoft $89 to fix its screwup (see time.com/personal for instructions). Netscape, which claims the bug is harder to invoke in its software, initially told users to wait for a fix later this month. Now a "smart update" is supposed to be released this week.

Maddeningly, Netscape and Microsoft were slow to fix the problem, which was discovered on June 23 by Ari Takanen and Marko Laakso, researchers at the University of Oulu in Finland. The pair immediately reported it to Netscape and Microsoft. Failing to get a timely response, they turned to NTBugtraq, an influential Net-based mailing list that tracks PC-security issues, and quietly reached some Microsoft techies. Ed Muth, who oversees security issues for Microsoft, says he's checking to see whether the company's response was tardy. Muth, by the way, disputes my thesis that fevered competition is causing half-baked code to be rushed out the door. A 10 million-line test failed to catch the bug, he says.

But Bill Cheswick, a security expert at Bell Labs, argues that simple carelessness caused the glitch: "It's an old rookie mistake--something you get in freshman programming." The bug enables an evil-minded e-mailer to send an attachment whose file name can be an executable program thousands of lines long. Apparently, someone forgot to set a size limit on file names for attachments. Oops. While Microsoft and Netscape say they've yet to hear of any hackers exploiting the bug, "I would be surprised if there weren't some bad guys out there who already had this in their tool kit," says Cheswick.

So if you're one of the unlucky millions who use the affected products, what should you do? Back up your hard drive. Get the patches now. (And if you keep the original programs on disks, label them so you'll remember the patch if you ever reinstall.) Better yet, do what I do: buy a better e-mail program. I've always used Qualcomm's Eudora, which is killer-bug free.

See time.com/personal for more on e-mail bugs. E-mail Josh at [email protected] Watch him and Anita Hamilton on CNNfn's Digital Jam, at 7:30 p.m. E.T. on Wednesdays.