According to the Privacy Foundation, e-mail programs from Microsoft (MSFT) (Outlook and Outlook Express) and AOL (dossier) TW-Netscape (Communicator 6.0) are vulnerable to the wiretapping technique. The New York Times and a few others covered the development Monday morning; other outlets picked up the story later in the day. Most reporters contented themselves with recounting the facts of the case and getting comments from security experts.
Wired ran the story yesterday and followed up today with a profile of the bug's original discoverer, Carl Voth. Julia Scheeres's interview brings out a historical wrinkle - in 1998 Voth had sent details of the bug to Richard Smith, then an amateur bug-hunter but now chief technologist at the Privacy Foundation. Smith suggested that Voth contact Microsoft and didn't investigate further. More than two years later, Voth wrote to Smith again and showed how his wiretapping discovery could make use of "Web bugs," another vulnerability that Smith had uncovered and publicized. This time Voth got Smith's attention.
The Slashdot community chewed over the vulnerability yesterday. Most of their suggestions won't be of much help to non-techies, though some were amusing. One poster suggested you exploit one of Microsoft Outlook's many vulnerabilities to break into your boss's computer and change his Windows startup tune to the Soviet national anthem.
A Trick to Snoop on E-Mail
New York Times
E-Mail Loophole Enables Snooping (AP)
Privacy Group Warns Of HTML Mail's 'Wiretap' Weakness
Wait! Don't Forward That E-Mail
Friends Don't E-Mail Friends HTML
HTML E-Mail Clients Susceptible to 'Wire-Tapping'
New E-Mail Vulnerability: Trust Your Neighbor?