Hello tbudl, Systems Affected ===================================================== Email clients which support message re-assembly:
- Outlook Express 5, - Outlook Express 5.5, - Outlook Express 6, - The Bat! - Microsoft Outlook 2000 (in 'Internet Only' mode) -possibly others which support this feature Details ===================================================== Message fragmentation is detailed in RFC 2046. This feature makes it possible for users wishing to send large files to split these files into multiple smaller messages. A client supporting this feature will receive multiple email messages and transparently re-assemble the whole message at the client side. By making use of this feature, a virus can easily bypass content checking in various content checking email security solutions, thus not being blocked at server level. This means that a virus signature will not get caught. Proof of concept exploit ===================================================== A live example of the named exploit is available on: http://www.gfi.com/emailsecuritytest GFI's fragmented message vulnerability test uses the harmless Eicar virus to test whether a network has protection against this type of email exploit. Once the test is activated, if it is received as a single email with an attached file that contains Eicar, then the recipient is vulnerable to this kind of attack. The fragmented message has circumvented server level protection as well as the security settings of the email client - meaning that were this virus malicious, the network would have been infected. If the test is received as five mails or not at all, the recipient's email client does not support email defragmentation: The fragmented email containing the virus has not been reconstructed at client level, meaning the user's system is safe from this type of attack. This email attack works with Outlook Express and other clients that support message fragmentation. Solution ===================================================== GFI MailSecurity Email Exploit Detection engine has been updated to quarantine partial messages. This exploit is being flagged as 18. Fragmented Message - (Suspicious). Reference ===================================================== http://www.gfi.com/emailsecuritytest http://www.gfi.com/mailsecurity/index.html http://www.securiteam.com/securitynews/5YP0A0K8CM.html http://www.faqs.org/rfcs/rfc2046.html Credit ===================================================== Issue originally discovered by Noam Rathaus of Beyond Security Ltd -- Best regards, Michael ([EMAIL PROTECTED]) "It's not the pace of life that concerns me, it's the sudden stop at the end." http://wwww.thompsonmike.co.uk/ PGP KeyID := 0x3CC985FA 'To see a world in a grain of sand And heaven in a wild flower To hold infinity in the palm of your hand And eternity in an hour' Using TheBat! Version 1.61 Running On Windows XP (2600, Service Pack 1) ________________________________________________ Current version is 1.61 | "Using TBUDL" information: http://www.silverstones.com/thebat/TBUDLInfo.html
