Feeds

Beware of malformed MIME artists

Content checking bypass ploy

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

The UK's top UK security co-ordination agency today warned of a series of vulnerabilities involving implementations of the Multipurpose Internet Mail Extensions (MIME) protocol within email and web security products. In a series of eight technical advisories the UK's National Infrastructure Security Co-ordination Centre (NISCC) explains how malformed MIME constructs might be exploited to allow attackers to bypass content checking and antivirus tools. MIME is a standard method for encoding email attachments so the extent of the problem highlights a gaping security hole that might be used by virus writers to smuggle hostile code past security defences.

The issue was uncovered in tests by a UK-based security firm Corsaire. Corsaire developed a test suite for content checking systems on behalf of a client in the insurance industry last year. Tests at the client revealed a number of security problems. These findings prompted further research on the 10 most common content checking and AV gateway products that unearthed a large number of varied security loopholes.

Many different viruses use malformed MIME content - such as SirCam, Nimda, NetSky and BadTrans - so the vulnerability of many common AV products came as an unpleasant surprise to Corsaire. "We were surprised to find so many and taken back to find manufacturers were not running the same tests as us. Many of the tests were quite elementary," said Martin O’Neal, technical director at Corsaire. Corsaire said it found between 30 to 130 vulnerabilities in each product. NISCC grouped these vulnerabilities together under eight categories for the sake of simplicity.

Corsaire worked throughout the last year in partnership with the UK NISCC team to ensure that the affected vendors have had access to the relevant information and tools to reproduce and correct the issues. A security alert issued by NISCC through the UNIRAS reporting scheme explains the security exposure of various vendors to the issue.

According to Corsaire many of the security vendors have already silently released patched versions of their software over the last 12 months. Others are promising to address the issue in the next version of affected products (e.g. F-Secure promise to fix a limited vulnerability to its Secure Internet Gatekeeper software with release 6.41, scheduled for beginning of Q4 04). Apple, HP, MessageLabs and Mozilla state that their respective products are safe from exploitation. Other vendors are yet to make a public pronouncement on the issue. Corsaire advises anyone who is in doubt as to the status of the products used within their environment to contact their vendors. ®

Related stories

UK.gov deploys IT early warning system
Brits pound OpenSSL bugs
The trouble with anti-virus
NetSky tops virus charts by a country mile
BadTrans virus bites Windows users hard

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.