The vulnerability smoothes the way for a new type of email-borne virus, also called a Trojan horse, and other malicious software. Microsoft Outlook is one of the most popular email programs in use.
Ordinarily, when a Microsoft Outlook user clicks on a file that has been received as an "attachment," the program will ask whether the user wants to open or save the attachment. Programs which exploit the vulnerability, however, fool Outlook into executing the potentially harmful software without asking permission.
Email containing a malicious payload is a popular new method of attacking computers. For example, US West's internal network had to be shut down for an evening about two weeks ago because of a self-generating attack.
The attack works by disguising the true identity of an email attachment so that Outlook assumes the attached file is benign, said the discoverer, Juan Carlos Garcia Cuartango, a Spanish researcher who has found several other weaknesses in the past. The masquerade works because Outlook doesn't examine files with common "extensions." An extension is a three-letter filename suffix, such as "doc" or "gif."
"Outlook does not care about what the real attachment contains. It only cares about the attached file suffix," Cuartango said in an email.
Microsoft was unable to comment on the vulnerability by press time.
The newly discovered problem affects Microsoft Outlook Express 4 and 5, Outlook 98, and Outlook 2000, according to Elias Levy, chief technology officer of Security Focus, a company that monitors computer security problems. There aren't yet reports of active attacks using the vulnerability, he said.
"I think it's very severe," Levy said. "It could be used to create something just as bad or even worse than Melissa," he said, speaking of a virus that swept the Internet in March.
Melissa was successful largely because it automatically sent copies of itself to unsuspecting users via Microsoft Outlook email software. Antivirus software initially failed to detect the virus, although Melissa ultimately proved a bonanza for antivirus companies.
Since its emergence, several other variants have appeared on scene. Cuartango said he notified Microsoft of the vulnerability on October 15.
The basic problem isn't being fixed by companies such as Microsoft and Netscape, Levy believes.
"Cuartango and [fellow bug catcher Georgi] Guninski have shown we just have this cycle. They find a bug, the vendor patches it, a week goes by, and they find another one," Levy said. "We have to look beyond that at what's fundamentally wrong here: We have programs such as Web browsers and email clients that connect to an untrusted network from which they receive data they do not trust."
Levy believes the solution is to adopt a method used by the military, in which programs run in a safe zone within a computer--a cordoned-off area where the programs have minimum privileges and can't do any damage. Sun Microsystems has taken steps in this direction with its "sandbox" area, Levy said, but there still is room for attacks that don't use Java and companies have had some difficulties in making sure Java works like it's supposed to.
The Unix operating system, which is supposed to restrict the actions of computer tasks not run by the system administrator, is better than Windows, Levy said. However, it's "definitely not the solution either."
The new vulnerability works through a series of disguises, Levy said. First, the malicious program is converted into a Microsoft archive format called a "cab" file. Then, the cab file is renamed with an extension of a file type that Outlook isn't concerned with (such as "jpg," "mov," or "txt"), then emailed as an attachment.
When the victim clicks on the attachment, the cab file is decompressed and its contents saved to a specific location. The last stage occurs when a Javascript program in the email then can execute the potentially malicious program that was contained in the cab file.
To protect against the problem, Security Focus recommends changing the default location for temporary files from TEMP or TMP to some other, unpredictable location. "You can also disable Javascript," the company said.
Microsoft tomorrow will unveil a redesign of its MSN Web portal and launch new services on the network, while debuting a revised version of its controversial instant messaging program.
The redesign, which has been in "preview" mode, will unveil new features such as a "Message Center" that displays a user's new Hotmail messages, online buddies from MSN Messenger, and community lists.
Microsoft will also introduce a new version of its MSN Messenger service, the company's instant messenger "client." The service made headlines when it began allowing users to communicate with AOL Instant Messenger users. AOL criticized the move as a hack into its system and blocked Messenger's access; Microsoft returned fire, claiming AOL was not working up to industry standards.
Microsoft has not decided whether to make the new MSN Messenger interoperable with AIM, according to Deanna Sanford, lead product manager at MSN. "We're still evaluating that," Sanford said.
The new MSN Messenger will officially launch next week.
Tomorrow's moves come as Microsoft continues revamping its long-staggering Internet strategy, as previously reported. Last week, the software giant debuted an online shopping site called eShop, which allows users to purchase gifts from many different retailers, compare prices, and read consumer reviews.
MSN Web Communities went live today. The product allows users to create and design shared Web pages replete with communications tools, such as email and message boards.
Microsoft previewed selected features of its upcoming services during a September briefing of financial analysts and journalists. During the briefing, the company outlined its plans to turn MSN into a distribution point for Web software services, such as Hotmail and its site registration technology MSN Passport.
Early next year, Microsoft is expected to launch its MSN Calendar product, developed through its acquisition of Jump Networks.
Oxygen Media will tap Web site builder Bigstep in a joint effort to attract the largest sector of small-business owners online: women.
Bigstep will create a cobranded service on Oxygen's Ka-Ching finance site, the companies are expected to announce tomorrow. Available for free, the service will enable women to build and manage their businesses, create catalogs of products, send customer newsletters, analyze site traffic, and accept online credit card payments.
Oxygen, which plans to launch a sister cable channel for women in February, hopes the Web site-building tools will keep its audience coming back, rather than turning to veteran sites such as Women.com and iVillage. But for San Francisco start-up Bigstep, the partnership could give it a leg up in an extremely competitive market, where firms such as Yahoo, CitySearch, CommerceKey, and Intel provide similar Web services to small and medium-sized businesses.
Women own 40 percent of all businesses in the United States, but are "starting new firms at twice the rate of all other business," according to the U.S. Small Business Administration. Bigstep estimates that more than half of its current clientele are women-owned firms, such as financial planners, legal consultants, and retailers.
By pairing with the women's network, Bigstep will have access to a huge pool of potential customers. Bigstep also could benefit from Oxygen's new national advertising campaign, which will include a Super Bowl ad, and traffic driven by Oxygen partner Oprah Winfrey, who frequently plugs the site on her show.
Down the line Bigstep hopes to make money by offering extra services to established clients.
"We made the decision to work with them because they are incredible people, but we knew the marketing opportunities they are going to be rolling out over time would be massive," said Andrew Beebe, chief executive of Bigstep. "We think building thousands of sites out of this is a no-brainer."
The quick tools Bigstep will provide are the kind of feature Oxygen had been promising to offer its users. Rival Women.com's small business area lets women write business plans and set up a home office, for example.
"We will help Ka-Ching focus this 'underserved' market," Beebe said. "You just click on 'starting your business,' and it can take 15 minutes to get your business up and running."
Geraldine Laybourne, Oxygen's founder, said in a statement that "This offering goes to the heart of what Oxygen is all about--providing unique services and solutions designed to help women manage their lives and realize their economic power." Charter Communications, a cable company owned by Microsoft cofounder Paul Allen, raised $3.23 billion today in an initial public offering.
Charter sold 170 million shares for $19 each, the high end of the $17 to $19 range that had been set by lead underwriter Goldman Sachs. Charter shares are expected to begin trading tomorrow under the ticker "CHTR."
"I wouldn't be surprised if Charter's shares rise 100 to 150 percent on its first day," Jeff Hirschkorn, a senior analyst for IPO.com, said last week. "Paul Allen is building this company from the bottom up and he's doing it with acquisitions."
The 170 million shares represent all the outstanding class A common stock outstanding. Allen will hold 50,000 shares of class B common stock, which gives him 10 voting rights for each share and 95 percent of all voting rights. The class B shares can later be converted to class A shares on a 1-for-1 basis.
Allen has earned a reputation as having made astute investments, which are handled through Vulcan Ventures. (Vulcan Ventures is an investor in CNET, publisher of News.com.)
Through Vulcan Ventures, Allen owns stakes in several high-tech companies including High Speed Access (HSA), Wink Communications, WorldGate Communications, and RCN. Allen recently combined several of those properties together with Charter and Go2Net to form Broadband Partners, a joint venture that will create an interactive-TV based broadband portal.
Since acquiring Charter, Allen has been on an acquisition binge gobbling up smaller and mid-sized cable operators primarily serving the "ex-urban" regions around major metropolitan markets.
When a handful of proposed mergers is finalized, Charter is expected to be the fourth-largest cable company in the nation serving more than 5 million customers.
Allen plans to use Charter's cable networks to offer multi-channel video programming, high-speed Internet access, local voice telephony, and interactive TV.
Charter generated revenues of $1.43 billion during the six-month period ended June 30 and it posted a loss from operations of $238.7 million.
Nortel Networks will tomorrow detail a two-pronged strategy intended to hit rival communications equipment provider Cisco Systems where it hurts.
Nortel plans to cut prices for its network routers by as much as 50 percent, according to industry sources. The move is part of the Brampton, Ontario-based company's goal of becoming more competitive in the market for network devices and the software that runs in them. The lucrative market now dominated by Cisco.
Nortel also will detail plans to license its routing software code to third parties, including Intel and Microsoft, for use in operating systems, "thin client" devices, Palm-based computers, and set-top boxes, according to sources. The company is already said to have issued 200 software licenses for its routing code to third parties, these people said, as part of an effort Nortel calls the "Open IP Environment."
At the core of network routing devices is software that directs network traffic. Nortel apparently aims to shift its networking focus to software, essentially leaving hardware concerns to its rival Cisco.
"There's no way they're going to get top billing in the router market--Cisco owns it," one industry insider said. "But not the market for the enabling technology."
A Nortel spokesman declined to comment on the company's unannounced plans.
Nortel is looking to draw users away from current routing technology, toward all-encompassing routing software that can link many different computers to Nortel's fiber-optic based equipment, according to industry observers. The initiative also furthers the company's aim to reconstruct itself as an Internet-based company.
The announcement's timing isn't coincidental. Nortel plans to announce its newest business deals the same day rival Cisco releases earnings for its most recent quarter.
Cisco is expected to announce per-share earnings of 23 cents for its first quarter, according to consensus estimates compiled by First Call. The announcement is likely to be closely watched, given recent rumors that Cisco may miss Wall Street's expectations.
In 1998, Cisco garnered 70.5 percent of the routing market, compared with Nortel's 9.1 percent share, according to market researcher Dataquest.
Bay Networks, the data-oriented networking firm Nortel acquired in 1998, purchased routing technology last year for use in the Open IP environment.
Nortel plans to discount its line of so-called enterprise routers, sources said. The cost of the technology is dependent on how complex the installed software is. Base prices run as low as $30,000, according to industry analysts.
Though there are few specifics, Microsoft plans to incorporate Nortel's software in an upcoming release of its Windows 2000 operating system, according to sources. Windows 2000 is scheduled to ship to customers early next year.
Intel plans to use the software in conjunction with its burgeoning networking chip business, sources said.
A Cisco spokesman seemed unconcerned with Nortel's new plans. In response to the strategy, the spokesman said that Nortel's routers will "finally be priced what they're worth."
Web site troubles plagued Toys "R" Us for the second straight day as customers overwhelmed the company's servers, raising further questions about its ability to adapt to the high demands of e-commerce.
The company said the site received a sharp increase in the number of visitors yesterday morning, as consumers began responding to an advertisement placed in national newspapers around the country. With site traffic increasing tenfold from previous peaks, the company moved to limit the number of consumers who could use its systems at any one time.
"I don't think anyone expected a tenfold increase," said John Barbour, chief executive of Toys "R" Us subsidiary Toysrus.com.
The site "slowdown," as Barbour and other company representatives called it, is only the latest in a series of Web-related problems the company has encountered. Slow to enter the e-commerce game, Toys "R" Us was trounced last year in online toy sales by rival eToys. This year, the company has seen a highly touted deal with Benchmark Capital unravel and has had a falling out with the designated chief executive of Toysrus.com, Bob Moog.
For many shoppers, the site was accessible only rarely last night and sporadically today. Many attempts to enter it were met with at least four types of "error" messages and apologies that asked visitors to come back later.
Visitors apparently were responding to the company's "Big Book" toy catalog and other related promotions. The company said it distributed some 62 million Big Books over the weekend in national newspapers. In addition, the company is offering free shipping in November and a free Tickle Me Elmo toy for orders of more than $100.
This morning, the site carried a message that greeted many would-be shoppers yesterday: "Due to the overwhelming popularity of the BIG BOOK of savings, we have had to limit the number of guests to our Web site...Please accept our sincere appologies [sic] and try again later."
Despite the discount catalog and a new advertising blitz, which includes national television commercials, Toysrus.com director of guest relations Ruben Baerga said the retailer did expect a traffic spike. Over the last week, Baerga said the company increased the capacity of its systems 2.5 times, far less than what was needed to handle the tenfold traffic spike.
"It took us by surprise," Baerga said. "We weren't ready for it."
Barbour said the company had already quadrupled its number of servers to prepare for the onslaught. In response to the slowdown, he said the company plans to triple the number of servers it now has. Baerga said that means the company will add up to 200 servers to handle increased traffic.
"That's an undertaking, but we'll do it," Baerga said. "We're working feverishly to fix it."
Even on the few occasions when the site was accessible, at least some items advertised in the company's much-touted Big Book catalog could not be found on the Web site.
Such problems, combined with the outage, confirm analysts' worst fears that many e-commerce sites are not well enough prepared to handle the crush of holiday traffic, a criticism that has been leveled specifically at some of the largest brick-and-mortar retailers.
Yankee Group e-commerce analyst Melissa Bane said outages at sites like Toys "R" Us could hurt those e-tailers this holiday.
"Last year, it was trendy to be caught with your site down--it showed you were pop," Bane said. "This year, it's less glamorous. It's not a tribute to how much traffic you have, but a tribute to how unprepared you are."
Toys "R" Us faces intense competition from other online stores, including eToys, Amazon.com, Wal-Mart, and KB Toys.
The market is expected to be particularly tough this holiday season, which many retail and financial analysts consider a make-or-break period for some e-commerce companies. Net stocks have been slumping in recent months, and online companies are looking to the holiday period to provide a boost.
Consumers are expected to spend about $6 billion online this holiday season, analysts have estimated.
Toys "R" Us is not alone is suffering outages. Virgin's music store recently was clogged because of demand from a sale on CDs. Amazon.com's site also has undergone periodic outages, frustrating customers, including two separate downtimes last Thursday.
Last December, Toys "R" Us's online site suffered at least one multihour outage, as it and other e-retailers were slammed with holiday shoppers.
News.com's Troy Wolverton contributed to this report.
|
latest developments |
|
As online traffic begins to ramp up for the holidays, many sites struggle technically to balance the load. "Messages sent through WebTV are arriving hours, even days late, both coming and going." - WebTV user |
|
Toys "R" Us jammed a second day update Web site troubles continue to plague the toy company as customers overwhelm its servers, raising further questions about its ability to adapt to the high demands of e-commerce.
WebTV grappling with email problem
previous coverage
Amazon.com outage
|
Play video
There are currently no comments for this post.