New York Times, August 11, 1998
By JOHN MARKOFF
AN FRANCISCO -- The leading provider of software that routes electronic mail through theInternet plans to announce on Tuesday that it has developed a simple and free fix for a security vulnerability discovered in three E-mail programs made by the Microsoft Corporation and the Netscape Communications Corporation.
The vulnerability, found in late June in Microsoft's Outlook Express and Outlook 98 and Netscape Mail, enables an attacker to send an E-mail message containing a malicious program that could damage or steal data.
Microsoft has already developed and posted on its Web site a patch that it says will protect its E-mail programs from the attack, and Netscape is planning to release a software fix shortly.
But for several reasons, officials of Sendmail, the company that makes the software that manages the majority of mail systems, said that installing the fix on the central electronic post office rather than on each computer made sense. First, they said that as many as seven other programs have now also been found to be vulnerable. In addition, large companies that have,their own E-mail servers, as the electronic post offices are known, would,have to fix only one program rather than installing a patch on all their computers.
Though there have been no reports that the vulnerability has been exploited, security experts are concerned because they say there is no easy defense against such an attack.
The Sendmail patch does not protect against a more recent flaw discovered last week in some versions of Eudora, the most popular electronic mail program for personal computer users.
Eric Allman, a founder of Sendmail, said Monday that his company's patch would automatically trap E-mail messages carrying dangerous attached files that could exploit the vulnerability.
Sendmail plans to announce its patch in concert with Computer Emergency Response Teams in Australia, Germany and the United States. These government-sponsored agencies attempt to alert computer users to security dangers and to provide information on security developments for specific systems.
Sendmail began work on its patch after response team officials suggested that a single network fix might offer a better solution than fixing millions of copies of E-mail software on individual computers.
Sendmail will offer its patch at no cost.
"Free is a good price," said Allman.
Email comments and questions to firstname.lastname@example.org.