Live

Watch CBSN Live

You've Got A Virus!

There's a new way for hackers to take control of your PC - simply send it an e-mail.

Microsoft says two independent researchers have discovered a way to include malicious code inside the software company's Outlook e-mail, making it much easier for a hacker to control another person's computer.

"We don't know of cases where people have exploited this [problem] but the mere fact that it's possible is important because now that it's public, hackers can immediately try to exploit it," reports CBS News Computer Consultant Larry Magid. "When a security expert discovers a vulnerability or a flaw in a piece of software that no one else has discovered, once that information is made public, the hacker community now has a target."

According to the researchers, there is a way for a malicious hacker to hide software code in an e-mail's time and date stamp through a "buffer overflow" - extra letters and numbers that trigger an error in the computer. After those letters and numbers, the hacker can include software code that the computer will recognize as legitimate instructions as if they were typed by the victim.

Unlike other viruses, or "worms," the e-mail user isn't required to click on an attachment or read, preview or forward the e-mail to activate the virus. Simply downloading one's e-mail is enough to activate the code.

"Merely downloading the file can trigger the computer to do whatever it is the hacker intended. It could be something as simple as causing the computer to crash or it could be something as malicious as giving the hacker control of the computer," Magid said.

The e-mail message can have one of several different subject lines including "Fw: Life Stages," "Fw: Funny," "Fw: Jokes," "Fw: Life Stages text," "Fw: Funny text," "Fw: Jokes text," "Life Stages," "Funny," "Jokes," "Life Stages text," "Funny text," or "jokes text," and includes the LIFE_STAGES.TXT.SHS file attachment, according to a bulletin posted on Microsoft's security Web site.

The vulnerability was discovered about a month ago by a South American security research team known as Underground Security Systems Research, or USSR Labs. MSNBC.com learned of the flaw June 11, but agreed not to publish the information until Microsoft had a chance to supply a fix, standard practice in the computer-security business in order to prevent possible harm to computer users. (Microsoft is a partner in MSNBC). However, Tuesday morning an individual identified as Aaron Drew of Australia sent details of the bug to a security mailing list.

"I would say this problem is huge," said Russ Cooper, a security expert who watches Microsoft flaws closely as administrator of the NTBugTraq mailing list. "It's the 'Good Times virus' come true. If you heard about this, you would call it a hoax," he said, referring to an old computer myth that a single e-mail could destroy a victim's computer. "Here we have the chance of people hearing, 'The reaon your hard drive was reformatted was because you received that e-mail.' "

The only defense against the vulnerability is installing the Microsoft patch, which will be available shortly on the Microsoft security Web site.

Microsoft said the stand-alone Outlook patch might not be ready until Wednesday, but concerned Outlook users can protect themselves immediately by downloading and installing the newest version of Internet Explorer from Microsoft. That software includes code that will stop the vulnerability.

"Users of Microsoft Outlook and Microsoft Outlook Express should definitely go to Microsoft.com and determine whether that patch is available, and if so download it and implement it right away," said Magid.

The vulnerability in Microsoft's Outlook e-mail program has widespread implications: Until now, victims had to willingly open an e-mail attachment, or at least view a specially formed e-mail message, to be attacked. Now, a computer vandal could conceivably take control of thousands of computers with a single mass e-mail. Intruders can have their way with a target machine once it begins to download the ill-formed message to its hard drive.

Since an attacker could have his way with a victimized computer, several alarming scenarios are possible. A single e-mail could instruct the computer to delete every file on its hard drive, for example. It could also instruct the computer to copy sensitive information from the victim and e-mail it back to the attacker.

"Clearly this is a serious vulnerability," said Scott Culp, Microsoft's security program manager.

The vulnerability could have unnerving privacy implications as well. For example, a spam advertiser could send an e-mail that would automatically launch Internet Explorer and direct it to the company's Web site.

As written, this vulnerability isn't self-replicating, like the ILOVEYOU computer virus, which spread around the world in under 12 hours earlier this year. To exploit this problem, an attacker would have to deliberately send a specially formed malicious e-mail to a victim. But a virus writer could conceivably use this code to create a dangerous self-replicating worm.

Microsoft says home users are at the greatest risk because the attack will begin the moment the e-mail arrives at a user's computer -- even if they don't open the message.

But the bug can also impact corporate users. Those running Outlook in "corporate and workgroup mode" must actually read or preview the malformed message in order to be victimized by the flaw.

Since sample code exists, copycats are expected to begin writing malicious e-mail fairly soon. There is one mitigating factor -- since the flaw doesn't impact most corporate users, and home users are generally a less interesting target, that might limit coputer-vandal interest in the problem. Corporate users normally have more sensitive, valuable information stored on their computers.

CBS Worldwide Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed. The Associated Press and MSNBC contributed to this report

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.