Todd,
Just a quick head's up for Outlook users:
At 11:12 PM 2/18/02 -0500, you wrote:
>FYI, we just found out this evening that a new vulnerability has been
>found in Outlook that can cause viruses to be sent within the headers of
>an E-mail, which will bypass most/all SMTP-based virus scanners.
>
>We have just released a new version of Declude Virus that will
>automatically detect this vulnerability. For people using other virus
>scanners, you may want to use our Test Mail Sender at
>http://www.declude.com/tools/mailsend.html and send yourself the "eicarcr-
>To test Outlook CR vulnerability" file. The E-mail should be caught by
>your SMTP-based virus scanner, and should not be delivered to your E-mail
>client. If not, you should update your SMTP-based virus scanner as soon
>as an update is available.
>
>The vulnerability entails sending two carriage returns in a row ("CRCR")
>in the middle of an E-mail header. This has no meaning in SMTP (and
>therefore should be treated as part of the header), but Outlook treats
>this as if it were a "CRLFCRLF", which would end the headers. So once
>this part of the headers is reached, a standard E-mail program or
>SMTP-based virus scanner will treat the next line as a header, but Outlook
>will treat it as the body of the E-mail. If an attachment is placed here,
>Outlook will see it and treat it as an attachment. However, the standard
>E-mail client or SMTP-based virus scanner will realize that these should
>be standard headers, and won't see the attachment.
>
>It has been reported that there are viruses in the works that may take
>advantage of this vulnerability. In order to be effective, they would
>need to be small (less than about 7K encoded), which will make it
>difficult for "script kiddies" to write such a virus, but it can certainly
>be done. Since Outlook tends to be the main source for spreading viruses,
>this is something that should be taken seriously.
>
>More details can be found at
>http://www.openoffice.nl/special_interest/outlookbug.html .
>
> -Scott
>---
>Declude: Anti-virus, Anti-spam and Anti-hijacking solutions for
>IMail. http://www.declude.com
>
>---
>[This E-mail was scanned for viruses by Declude Virus
>(http://www.declude.com)]
>
>
>Please visit http://www.ipswitch.com/support/mailing-lists.html to be
>removed from this list.
>
>An Archive of this list is available at:
>http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
