[Esa-l] TNEF encoding a "big gaping hole?" :)

Brett Glass brett at lariat.org
Sun Nov 5 17:05:28 PST 2000


The Sanitizer should have an option to strip TNEF attachments. As
Microsoft writes at

http://www.eudora.com/techsupport/kb/1552hq.html

TNEF attachments can contain active content such as OLE objects,
and can also embed attachments in other formats -- including
worms and viruses.

Microsoft Outhouse Express always discards TNEF attachments, and 
Microsoft Expunge Server has a built-in option to do so.

It doesn't make sense to quarantine messages with them, but it does
make sense to strip them out silently. A few minor (and possibly
exploitable) Outhouse features, such as voting, won't work if
this is done, but it's better than letting a worm slip by.

--Brett

At 04:30 PM 11/5/2000, Bjarni Runar Einarsson wrote:
  
>Hi!
>
>I just wanted to post a "heads up", for those of you who aren't paranoid
>yet about those winmail.dat files.  I apologize if this is old news or
>already handled by the sanitizer...
>
>Anyway, according to Microsoft's web site winmail.dat files or
>application/ms-tnef files can contain all sorts of evil stuff, including
>complete attachments.  So I'm advising people to put winmail.dat on their
>blacklists - and if John agrees and hasn't already, he should consider
>mangling the MIME type as well, since it may suffice even without the file
>name.
>
>P.S. I'm writing this from memory, and the MIME type may not be
>"application/ms-tnef".  Go check in the Microsoft knowledge base what to
>block before blocking anything.
>
>-- 
>Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
> bre at netverjar.is              -><-             http://bre.klaki.net/
>
>Netverjar gegn ruslpósti: http://www.netverjar.is/baratta/ruslpostur/
>_______________________________________________
>E-mail Security Announce list mailing list
>E-mail Security Announce list at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esa-l




More information about the esd-l mailing list