Disable it and be done with it. There is no option to partially support
the issue, and the issue is very likely not a threat. Just because
something isn't RFC compliant doesn't mean that it is a threat. The
vulnerability was from Outlook displaying attachments that were hidden
by bad encoding, but that flaw was likely patched, or at least it has
not been exploited in mass.
Matt
Mon Mariola - Rubén wrote:
Matt,
So far, the only case where I find this vulnerability is in the mail
sent from the program Incredimail.
If these lines are actually prohibited in RFC, it is safer to seek
Incredimail technical support to solve your problem.
But I fear that the explanation in Declude manual is false and that
there is a section in RFC that says clearly that these lines are not
allowed.
Thank you.
Ruben Marti.
Mon Mariola, S.L.
----- Original Message ----- From: Matt
To: declude.virus@declude.com
Sent: Monday, December 03, 2007 4:15 PM
Subject: Re: [Declude.Virus] Outlook 'Blank Folding' Vulnerability
Ruben,
In your Virus.cfg file, add the following line:
ALLOWVULNERABILITY OLBLANKFOLDING
This will turn off this vulnerability detection. There have been no
viruses that I know of that have exploited this flaw, and it is quite
possible that this flaw no longer exists since it is around 5 years
old now. You might also want to consider turning off other
vulnerability detections due to the propensity of them hitting
legitimate E-mail. Here's a list:
BANPARTIAL OFF
ALLOWVULNERABILITY OLCR
ALLOWVULNERABILITY OLSPACEGAP
ALLOWVULNERABILITY OLMIMESEGMIMEPRE
ALLOWVULNERABILITY MIMESEGMIMEPOST
ALLOWVULNERABILITY OLLONGFILENAME
ALLOWVULNERABILITY OLBLANKFOLDING
ALLOWVULNERABILITY OBJECTDATA
ALLOWVULNERABILITY OLBOUNDARYSPACEGAP
ALLOWVULNERABILITY OLMIMEHEADER
ALLOWVULNERABILITY OLLONGBOUNDARY
Matt
Mon Mariola - Rubén wrote:
The program "incredimail" generates subjects, in certain cases, ended
with "0D 0A 09 0D 0A." These messages are captured by Declude virus
like "Outlook 'Blank Folding' Vulnerability". I want to send a letter
requesting to technical support solve this problem, but I really do
not see the point 3.2.3 in RFC 822 indicating that this is not allowed.
Thank you.
Ruben Marti.
Mon Mariola, S.L.
From Declude manual:
Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when
there is a line in the headers with just a single space or a single
tab character. Outlook can treat this as the end of the headers,
allowing it to see a virus that is embedded in the headers. RFC822
3.2.3 says that it is not valid to have such lines, nor is there any
legitimate reason for an E-mail to contain a blank line in the headers
with a single space or tab (note that it is OK to have a line with a
single space or tab in the E-mail body, just not the headers).
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
---
This E-mail came from the Declude.Virus mailing list. To
unsubscribe, just send an E-mail to [EMAIL PROTECTED], and
type "unsubscribe Declude.Virus". The archives can be found
at http://www.mail-archive.com.
