Judge was right: BubbleBoy worm proves IE/Windows insecure

A malicious new email worm can infect the systems of Microsoft Outlook and Outlook Express users that have Internet Explorer 5.0 installed, giving a dramatic "told you so" moment to Judge Jackson's pronouncement in his findings of fact that integrating a Web browser into Windows presented a security risk. The startling new bug, which surfaced less than a week after Jackson's ruling against Microsoft, is the first of its kind: An email worm that can cause a virus to infect a system without any participation from the user. Dubbed "BubbleBoy" after an episode of the TV series "Seinfeld," this worm can attack your system by simply opening the email that it is attached to: You don't need to manually open the attachment.

The implications of such a bug are, of course, frightening: In the past, email attachment bugs required the user to open an infected attachment for a virus to infect the system. But BubbleBoy takes advantage of the lax security features in Internet Explorer 5.0, which provides Outlook and Outlook Express with HTML email capabilities, to infect a system without any user interaction.

Fortunately, the original version of BubbleBoy doesn't contain any destructive code, though it does propagate itself by sending an infected email to every contact in the user's address book. Email from the worm is generally accompanied by a subject line reading, "BubbleBoy is back!" while the body of the mail includes the text "The BubbleBoy incident, pictures and sounds," along with an invalid Web address.

At risk are users running Windows 98 or Windows 2000 (but not NT 4.0, for some reason) with Internet Explorer 5.0 and Windows Scripting Host (WSH) installed (this is a standard component of Windows 98 and 2000). In Outlook, the offending email must be opened in its own window for the virus to escape. Outlook Express users aren't so lucky: You can unleash the virus simply by displaying the email in the preview window.

As for protecting your system, the same rules apply as always: Make sure you've downloaded the latest security patches for Internet Explorer 5.0 from Windows Update. A security fix that was released earlier this year (one of about a dozen so far) will protect your system from BubbleBoy

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.