FYI, we just found out this evening that a new vulnerability has been found in Outlook that can cause viruses to be sent within the headers of an E-mail, which will bypass most/all SMTP-based virus scanners.
We have just released a new version of Declude Virus that will automatically detect this vulnerability. For people using other virus scanners, you may want to use our Test Mail Sender at http://www.declude.com/tools/mailsend.html and send yourself the "eicarcr- To test Outlook CR vulnerability" file. The E-mail should be caught by your SMTP-based virus scanner, and should not be delivered to your E-mail client. If not, you should update your SMTP-based virus scanner as soon as an update is available. The vulnerability entails sending two carriage returns in a row ("CRCR") in the middle of an E-mail header. This has no meaning in SMTP (and therefore should be treated as part of the header), but Outlook treats this as if it were a "CRLFCRLF", which would end the headers. So once this part of the headers is reached, a standard E-mail program or SMTP-based virus scanner will treat the next line as a header, but Outlook will treat it as the body of the E-mail. If an attachment is placed here, Outlook will see it and treat it as an attachment. However, the standard E-mail client or SMTP-based virus scanner will realize that these should be standard headers, and won't see the attachment. It has been reported that there are viruses in the works that may take advantage of this vulnerability. In order to be effective, they would need to be small (less than about 7K encoded), which will make it difficult for "script kiddies" to write such a virus, but it can certainly be done. Since Outlook tends to be the main source for spreading viruses, this is something that should be taken seriously. More details can be found at http://www.openoffice.nl/special_interest/outlookbug.html . -Scott --- Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for IMail. http://www.declude.com --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list. An Archive of this list is available at: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
