Sophos Anti-Virus 3.78 MIME handling Vulnerability
12 February 2004, 05:30 PM
#1
Scooby Regular
Thread Starter
Join Date: May 2003
Posts: 1,165
Likes: 0
Received 0 Likes
on
0 Posts
Sophos Anti-Virus 3.78 MIME handling Vulnerability
Graham Cluley was lost for words 
-----------------------------------
SecurityPortal
Sophos anti-virus protection bypassed with big gaping hole
Virus or trojan sent with no MIME boundary can slip through...
02-12-2004 12:28:20 AM CST -- By Kieren McCarthy, Techworld
Sophos' anti-virus software can be bypassed by a virus-laden e-mail if it doesn't contain any MIME boundary definitions, the company has admitted. MIME, or Multipurpose Internet Mail Extensions, is the basic protocol used for sending graphic, audio and video on e-mail. But Sophos has found that Delivery Status Notifications generated by qmail mail servers (the second-largest in number on the Net) that are infected with the MyDoom virus slip through the anti-virus software undetected. Only qmail servers set up to include the original e-mail in the bounced e-mail will not include MIME boundary definitions and so slip through. But it still remains a significant security hole considering the number of qmail servers (around one million) and that the impact of many modern viruses and worms come from the emails automatically created by their appearance.
On top of that, a separate bug in the scanning engine means that the anti-virus software can be used to launch a denial of service attack on your PC if certain MIME headings are used. An "unexpectedly terminated MIME header" will send the application into an infinite loop, eating system resources in the process, the company said. In effect, an unpatched version of the software will soon prove a liability rather than offering any sort of protection as not only will virus writers quickly latch onto the idea but the software itself can be used to bring down your computer. Both vulnerabilities apply to the latest version of the software - 3.78 - but an updated version that patches the holes is available for download - 3.78d.
Click here to read the original article at TechWorld.com
Click here to go directly to the Sophos web site for more information and to download the fix for the various OSes
The normally colorful Sophos commentator, Graham Cluley, was reported to be at a loss for words in explaining this significant oversight.... although I am confident he would advise Sophos owners to RUN... don't walk and get updated quickly...
From Sophos web site
Sophos
Advisory: Sophos Anti-Virus 3.78 MIME handling
This article last updated: 12 February 2004
Sophos Anti-Virus version 3.78 may fall into an infinite loop when scanning some emails. When the scanning engine encounters a MIME header that is unexpectedly terminated at the end of the file, it mistakenly tries to read on. Users of SAVI-compliant products, including PureMessage and MailMonitor, are affected.
In addition, a particular type of Delivery Status Notification (DSN) generated by qmail mail servers with the W32/MyDoom-A worm embedded in the body, will pass through the Sophos Anti-Virus engine undetected. Not all qmail servers generate DSNs in this manner. Where qmail has been configured to include the original email in the bounce message, it will do so. The qmail generated DSN will not include any MIME boundary definitions. In this instance, the Sophos Anti-Virus engine will not detect the virus.
This issue has been recognised and resolved. Affected users are advised to download the operating system-specific version of Sophos Anti-Virus outlined below. W32/MyDoom-A will then be detected correctly.
Updated versions of Sophos Anti-Virus version 3.78d:
Windows NT/2000/XP/2003 (i386)
FreeBSD version 3+ on Intel (using ELF format)
Linux on Intel using libc6
Linux on Intel using libc6 (glibc 2.2)
Solaris on Sparc
AIX on PowerPC
HP-UX on HP-PA
The Enterprise Manager databank has been updated with the relevant packages.
-----------------------------------
SecurityPortal
Sophos anti-virus protection bypassed with big gaping hole
Virus or trojan sent with no MIME boundary can slip through...
02-12-2004 12:28:20 AM CST -- By Kieren McCarthy, Techworld
Sophos' anti-virus software can be bypassed by a virus-laden e-mail if it doesn't contain any MIME boundary definitions, the company has admitted. MIME, or Multipurpose Internet Mail Extensions, is the basic protocol used for sending graphic, audio and video on e-mail. But Sophos has found that Delivery Status Notifications generated by qmail mail servers (the second-largest in number on the Net) that are infected with the MyDoom virus slip through the anti-virus software undetected. Only qmail servers set up to include the original e-mail in the bounced e-mail will not include MIME boundary definitions and so slip through. But it still remains a significant security hole considering the number of qmail servers (around one million) and that the impact of many modern viruses and worms come from the emails automatically created by their appearance.
On top of that, a separate bug in the scanning engine means that the anti-virus software can be used to launch a denial of service attack on your PC if certain MIME headings are used. An "unexpectedly terminated MIME header" will send the application into an infinite loop, eating system resources in the process, the company said. In effect, an unpatched version of the software will soon prove a liability rather than offering any sort of protection as not only will virus writers quickly latch onto the idea but the software itself can be used to bring down your computer. Both vulnerabilities apply to the latest version of the software - 3.78 - but an updated version that patches the holes is available for download - 3.78d.
Click here to read the original article at TechWorld.com
Click here to go directly to the Sophos web site for more information and to download the fix for the various OSes
The normally colorful Sophos commentator, Graham Cluley, was reported to be at a loss for words in explaining this significant oversight.... although I am confident he would advise Sophos owners to RUN... don't walk and get updated quickly...
From Sophos web site
Sophos
Advisory: Sophos Anti-Virus 3.78 MIME handling
This article last updated: 12 February 2004
Sophos Anti-Virus version 3.78 may fall into an infinite loop when scanning some emails. When the scanning engine encounters a MIME header that is unexpectedly terminated at the end of the file, it mistakenly tries to read on. Users of SAVI-compliant products, including PureMessage and MailMonitor, are affected.
In addition, a particular type of Delivery Status Notification (DSN) generated by qmail mail servers with the W32/MyDoom-A worm embedded in the body, will pass through the Sophos Anti-Virus engine undetected. Not all qmail servers generate DSNs in this manner. Where qmail has been configured to include the original email in the bounce message, it will do so. The qmail generated DSN will not include any MIME boundary definitions. In this instance, the Sophos Anti-Virus engine will not detect the virus.
This issue has been recognised and resolved. Affected users are advised to download the operating system-specific version of Sophos Anti-Virus outlined below. W32/MyDoom-A will then be detected correctly.
Updated versions of Sophos Anti-Virus version 3.78d:
Windows NT/2000/XP/2003 (i386)
FreeBSD version 3+ on Intel (using ELF format)
Linux on Intel using libc6
Linux on Intel using libc6 (glibc 2.2)
Solaris on Sparc
AIX on PowerPC
HP-UX on HP-PA
The Enterprise Manager databank has been updated with the relevant packages.
Thread
Thread Starter
Forum
Replies
Last Post
Mattybr5@MB Developments
Full Cars Breaking For Spares
28
28 December 2015 11:07 PM
Mattybr5@MB Developments
Full Cars Breaking For Spares
12
18 November 2015 07:03 AM