[Esd-l] Important vulnerability to watch for in e-mail scanners/sanitizers

Brett Glass brett at lariat.org
Tue Apr 2 13:45:01 PST 2002

>Mailing-List: contact bugtraq-help at securityfocus.com; run by ezmlm
>List-Id: <bugtraq.list-id.securityfocus.com>
>List-Post: <mailto:bugtraq at securityfocus.com>
>List-Help: <mailto:bugtraq-help at securityfocus.com>
>List-Unsubscribe: <mailto:bugtraq-unsubscribe at securityfocus.com>
>List-Subscribe: <mailto:bugtraq-subscribe at securityfocus.com>
>Delivered-To: mailing list bugtraq at securityfocus.com
>Delivered-To: moderator for bugtraq at securityfocus.com
>From: "Edvice Security Services" <support at edvicesecurity.com>
>To: <bugtraq at securityfocus.com>
>Subject: Various Vulnerabilities in ZoneAlarm MailSafe
>Date: Tue, 2 Apr 2002 10:33:13 +0200
>X-Mailer: Microsoft Outlook, Build 10.0.2627
>Importance: Normal
>Tuesday April 2, 2002
>Various Vulnerabilities in ZoneAlarm MailSafe
>Edvice recently tested ZoneLabs ZoneAlarm Pro ability to detect and
>quarantine incoming e-mail attachments that may contain malicious code
>or viruses. This functionality is provided by ZoneAlarm's MailSafe
>The Findings
>We encountered several vulnerabilities in ZoneAlarm 3.0 MailSafe. The
>vulnerabilities allow bypassing ZoneAlarm's e-mail protection.
>Most of the vulnerabilities we encountered are known Email Filters
>attack techniques and there is no point in explaining them again.
>However, there is one issue worth mentioning:
>It is possible to bypass ZoneAlarm Email Protection by appending a dot
>to the file name extension (e.g. malicious.exe becomes malicious.exe.).
>The dot changes the file name extension and MailSafe fails to compare it
>with known dangerous extensions. The MS-Windows operating system on the
>other hand disregards a dot at the end of a file name. When Windows is
>given a file name ending with a dot, it will automatically remove the
>dot from the file name extension. When Outlook or Outlook Express
>receives a file name that ends with a dot, it will present the dot, but
>will launch the appropriate application when the file is double-clicked,
>as if the dot does not exist.
>Vendor Status
>ZoneLabs was first contacted on January 26, 2002.
>A fix (v3.0.118) for most of the vulnerabilities we encountered,
>including the one mentioned above, is available through ZoneAlarm's
>Check for Update feature as from yesterday. ZoneLabs is still working on
>one of the vulnerabilities and a fix is expected soon.
>HTML Version: http://www.edvicesecurity.com/ad02-02.htm

More information about the esd-l mailing list