Declude Portal
Language
 
Home>Knowledge Base>Declude>EVA>What is a vulnerability?
Information
Article ID9
Created On12/9/2009
Modified12/9/2009
Actions
Share With Others
What is a vulnerability?
What are Structurally Flawed Emails?

Structurally flawed Emails (SFEs) are inherently flawed Emails that are vulnerable to exploit by viruses. They are formed maliciously or by damaged mail servers, and because of their flawed nature can bypass virus scanners that don’t know how to detect and then deal with them. This allows viruses attached to these Emails to slip by as well. Declude EVA detects all known mail server vulnerabilities, as well as important mail client vulnerabilities. A mail client vulnerability is something unusual about an email that can cause a mail client to do something that it should not (typically it will run a program without the recipient's permission). A mail server vulnerability is something unusual about an email that can cause it to bypass mail server virus scanning.

Because of the severity of a vulnerability, Declude EVA will by default block all E-mails containing vulnerabilities. On rare occasions, legitimate email will contain a vulnerability (this may happen with old beta versions of mail clients). In this case, the senders' mail client needs to be upgraded to the latest version to fix the problem.

How do you identify these? What happens after you find them – quarantine, remediation?

Our proprietary Security Flaw Scanner (SFS) sits in front of the virus scanner and spam filter outside of the firewall in our Interceptor gateway product. The SFS detects Emails that have structural flaws and sends them to quarantine or deletes them depending on a company’s policy rules. Once an Email clears the SFS, it then is scanned for viruses and evaluated as spam. It’s important to note that our virus scanner can deploy five different scans, while most other solutions can only use two. Our spam filters also detect spam by IP address, header and other methods that are superior to the usual Bayesian technique.
______________________________________________________________________________

Checking for Mail Server and Mail Client Structurally Flawed Emails (or vulnerabilities)

Mail Server Vulnerability - A vulnerability that can cause problems (such as a virus that can run automatically) when malicious Email is sent to certain mail clients. A mail server virus scanner will not be able to detect viruses that are in these vulnerabilities.

Did you know that most of the popular mailserver virus scanners won't be able catch new viruses in the near future? You can spend $10,000 on a virus scanner, only to find out that it lets viruses through unscanned and that you have to pay to upgrade it in order to catch them!

A vulnerability is a security flaw in a program. You may have heard about some of the more common mail client vulnerabilities, such as the Outlook "MIME Headers" vulnerability (where a virus can be run automatically with certain versions of Outlook). While these are bad, a standard mailserver virus scanner will catch viruses that exploit these vulnerabilities.

However, there is another serious type of vulnerability that has recently been discovered: mail server vulnerabilities that allow viruses to bypass mailserver virus scanners! For example, the "Outlook 'MIME segment in MIME preamble' vulnerability causes Outlook to see viruses that don't actually exist in an E-mail. In this case, a mail client (or mailserver virus scanner) that properly decodes the E-mail will not see an attachment. However, Outlook will incorrectly see an attachment.

When a virus uses this type of vulnerability, it will bypass a standard mailserver virus scanner, and get delivered to the recipient! That's why you should use Declude Virus: it detects these vulnerabilities. Since it detects them, Declude Virus will be able to catch new viruses that use the vulnerabilities, where standard mailserver virus scanners won't be able to catch them. Do you really want to buy a mailserver virus scanner that can't catch new viruses?

Vulnerability
Name		 Vulnerability
Type
 Description
CLSID Vulnerability: Mail Client This vulnerability occurs when an Email uses a 'CLSID' as an extension. A CLSID is a long string that identifies a certain program (such as Notepad), and using the CLSID instead of a standard file extension will cause Windows to use the program identified by the CLSID to open the file. Windows will not display the CLSID extension, so a file with an innocent name such as "cutedog.jpg" could cause another program to run.
Conflicting Encoding Vulnerability: Mail Server This vulnerability occurs when the headers of an Email claim that two or more different encoding types are used. A MIME segment can only be encoded in one way, so if there are more than one encoding types listed, it is possible that the mailserver virus scanner and the mail client will use different decoding methods on the Email. If this happens, a virus could bypass virus scanning on the mailserver.
Outlook 'Blank Folding' Vulnerability: Mail Server This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. RFC2822 3.2.3 says that it is not valid to have such lines, nor is there any legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the Email body, just not the headers).
Outlook 'Boundary Space Gap' Vulnerability: Mail Server This vulnerability occurs when there is a space or tab in the MIME boundary. This is not RFC-compliant, but Outlook will treat it as valid and be able to see a virus that virus scanners will not usually see. There is no legitimate reason for an Email to be formed like this.
Outlook 'CR' Vulnerability: Mail Server This vulnerability occurs when an Email contains a single 'CR' character within the E-mail headers (as opposed to a 'CR' followed by an 'LF', which is used to end a line in SMTP). Outlook can treat this as the end of the headers, which would allow Outlook to see a virus that was embedded in the headers. RFC2822 2.2 says that CR and LF characters cannot appear alone in the headers. Also, there is no legitimate reason for an E-mail to contain a lone 'CR' in the headers.
Outlook 'Long Boundary' Vulnerability: Mail Server This vulnerability occurs when an Email has a MIME boundary that is longer than allowed by the RFCs. Outlook may see a virus when a virus scanner will not. There is no legitimate reason for an E-mail to be sent like this.
Outlook 'Long Filename' Vulnerability: Mail Client This vulnerability occurs when an Email has an attachment with a name longer than 256 characters long. When this occurs, it is possible for Outlook not to see the correct file extension, causing Outlook to think that a dangerous Email is actually safe.
Outlook 'MIME header' Vulnerability: Mail Client This vulnerability occurs when certain safe MIME types are used, but a potentially dangerous file type is attached. Outlook may execute the attachment automatically, without looking at its file extension. There is no legitimate reason for an Email to be sent like this, and a number of viruses use this vulnerability.
Outlook 'MIME segment in MIME postamble' Vulnerability: Mail Server This vulnerability occurs when it appears as though a MIME segment is occurring after the end of the MIME body (specifically, a MIME segment with a boundary other than the one specified appears in the MIME postamble). Outlook may see this as an attachment. Although technically valid, there is no legitimate reason for an Email to be sent like this.
Outlook 'MIME segment in MIME preamble' Vulnerability: Mail Server This vulnerability occurs when it appears as though a MIME segment is occurring before it should (specifically, a MIME segment with a boundary other than the one specified appears in the MIME preamble). Outlook may see this as an attachment. Although technically valid, there is no legitimate reason for an Email to be sent like this.
Outlook 'Space Gap' Vulnerability: Mail Server This vulnerability occurs when there is a space in one of the MIME headers where there is not normally a space (such as "Content-Type :" instead of "Content-Type:"). This is not RFC-compliant, but Outlook will treat it as valid and be able to see a virus that virus scanners will not usually see. There is no legitimate reason for an Email to be formed like this.
Partial (Fragmented) Vulnerability: Mail Server This vulnerability occurs when one Email is split into separate parts, each in a separate Email. Although this is legal, it will bypass virus scanners, and therefore will likely soon be deprecated.

Vulnerability Type Legend:

Mail Client Vulnerability - A vulnerability that can cause problems (such as a virus that can run automatically) when malicious Email is sent to certain mail clients. However, if the Email contains a known virus, it will be caught by a mailserver virus scanner. It is nice if mailserver AV programs catch these, but not vital.

Mail Server Vulnerability - A vulnerability that can cause problems (such as a virus that can run automatically) when malicious Email is sent to certain mail clients. A mailserver virus scanner will not be able to detect viruses that are in these vulnerabilities. Therefore, it is very important that mailserver AV programs detect these vulnerabilities.

To see if your mailserver virus scanner can detect these vulnerabilities, please go use our Test Mail Sender. This tool will send safe Emails to your mailserver that should trigger your mailserver virus scanner. If you receive the E-mails, you are missing important virus protection on your mailserver!
 
Management Interface
SmarterTrack Enterprise 4.6 | Help Desk Software | © 2010 SmarterTools Inc.