Patch Needed For Latest MIME Flaw
Exploiting MIME encoding could bypass anti-virus software, reports security researcher, Hendrik Weimer, the founder of OS Reviews. MIME (or Multipurpose Internet Mail Extensions) encodes e-mail so that SMTP (Simple Mail Transport Protocol) designed to handle text can only read it.
According to Weimer, the trick could be considerably more dangerous than a flaw that allows attackers to evade a single virus scanner. The discovery of new attacks that goes undetected by not just one but many virus scanners are even rare.
In his experiment with virus scanners Weimer used Base64 encoding along with non-standard characters. The latter on decoding should be overlooked, so as to create a MIME document including the virus scanner test string. Base64 encoding falls within MIME standard and uses an alphabet of 64 characters, each representing a value defined earlier.
Weimer then passed it through a selected group of mail scanners, of which only two responded. One scanner reported that it failed to scan the e-mail and the rest of them let the mail pass. Many e-mail clients like Microsoft Outlook would properly reassemble the EICAR (European Institute for Computer Antivirus Research) string when it enters the system. The EICAR string is an executable string created to examine the functional worth of anti-virus software.
Some virus scanners will let viruses pass without hesitation once they come in RFC-compliant encoding. Weimer wrote that this is amazing in the light of virus attacks .
Weimer got even better results when he allowed wrapping some multipart/ mixed content with malicious file attachment. Then only one of the six virus scanners was able to identify the EICAR file.
MIME had posed as a security risk also once before in 2004. At that time security consultancy company Corsaire found faults in MIME that required fixing. Corsaire detected eight flaws in MIME that could let dangerous content pass through detection products. The vulnerabilities spread far and wide and needed many layers of patching.
Now hope rests on security developers to be able to design patch for the recent issues with MIME, before malware writers are successful in exploiting it. After all the benefits of MIME encoding should remain healthy.
Related article: Patch Issued To Fix WMF Flaw In OpenOffice.org
» SPAMfighter News - 18-12-2006