Yes, the Internet is a jungle, and, as we've seen with so many enabling technologies, each new capability will also have some unintended side affects. In this case, the culprit is the most common of Internet idioms, HTML. Without warning, HTML can exploit a stability hole in Microsoft's Windows 95 and Windows 98 that will cause a fatal system error requiring you to reboot. This means an unscrupulous web designer can create a web page that will "blue screen" any Windows 9x machine that tries to access it via their browser. And what makes this bug even more insidious is the fact that the malevolent code can be emailed and produce the same fatal error on systems running Microsoft Outlook. GPF in your inbox Jin-Ho Choi, a BugNet reader from Korea, submitted this bug earlier this morning. KeyLabs tests verified the bug and uncovered the potential threat to Outlook 2000 users. While any Windows 9x browser will produce the fatal error, Outlook was the real surprise. All it takes is for someone to include the code in the message body (it doesn't even need to be an attachment) of an email message. When the message is opened, you will get a fatal error. No warning. No prodromic symptoms. You open the message . . .you get the "blue screen of death." The bug will only affect Outlook 2000 users that have enabled Word 2000 as their mail editor. So if you are using the default Outlook mail editor, you will not have this problem. We estimate that this will affect a lot of Outlook users. Word offers features that are not typically found in email editors. These features include a better spell checker, auto correction, grammar checker, etc. KeyLabs used the same offending mail message to validate the bug on other email packages like Netscape Communicator, Outlook Express, and Eudora. All other tested platforms failed to produce the bug. We were also unable to reproduce the problem on systems running Outlook 98 with Word 97 as the mail editor, so it appears that the problem is limited to the Outlook 2000/Word 2000 combination. Further testing revealed that Windows NT and 2000 are immune to this problem. While we are not obliged, nor think it appropriate, to divulge the offending code in this forum, we do want you to understand the nature of this bug. The high level explanation is that the HTML code is making low level DOS device calls. This explains why Windows NT and Windows 2000 are immune. They simply do not allow applications to talking directly to the hardware. Even though inappropriate DOS device calls would cause a fatal error on any Windows 9x computer when run from the command prompt, the real rub is that a simple web page can wreak havoc on your system without any warning-while you are innocently browsing. What's a browser to do? We have supplied the renegade code to Microsoft to see if there is a workaround that Windows users can employ. At the time of this writing, Microsoft is in the process of creating a fix for this hole. A Microsoft official replied to us say, "Microsoft was notified to this in November last year and, originally thought customers would not be affected, but now upon some reexamination we decided the best thing was to go ahead and fix it anyway." Still, depending on your aversion to system lockups, you may want to view all email messages as text, just in case. Others may choose to wait until it becomes a problem before taking action. The browser hole is a different matter. Unless you restrict your web surfing to commercial, trusted sites, you are at risk any time. IF you are really risk averse, you may want to install Windows NT or Windows 2000. As always, the best thing to do is be vigilant.