Select:
Personal Email FAQ |
Email Administrator FAQ
Microsoft Outlook and Mail Server Virus Vulnerabilities:
Did you know that most of the popular mailserver virus scanners
won't be able catch new viruses in the near future? You can spend $10,000 on
a virus scanner, only to find out that it lets viruses through unscanned and
that you have to pay to upgrade it in order to catch them!
A vulnerability is a security flaw in a program. You may have heard about
some of the more common
mail client vulnerabilities, such as the Outlook
"MIME Headers" vulnerability (where a virus can be run automatically with
certain versions of Outlook). While these are bad, a standard mailserver virus
scanner will catch viruses that exploit these vulnerabilities.
However, there is another serious type of vulnerability that has recently
been discovered:
mail server vulnerabilities that allow viruses to
bypass mailserver virus scanners! For example, the "Outlook 'MIME segment
in MIME preamble' vulnerability causes Outlook to see viruses that don't actually
exist in an email. In this case, a mail client (or mailserver virus scanner)
that properly decodes the email will not see an attachment. However, Outlook
will incorrectly see an attachment.
When a virus uses this type of vulnerability, it will
bypass a standard
mailserver virus scanner, and get delivered to the recipient!
That's why you
should use ActivatorMail: it detects these vulnerabilities! Since it detects
them, ActivatorMail will be able to catch new viruses that use the vulnerabilities,
where standard mailserver virus scanners won't be able to catch them. Do you
really want to buy a mailserver virus scanner that can't catch new viruses?
To view the details of how ActivatorMail works click more info...
Vulnerability
Name |
Vulnerability Type |
Description |
| CLSID Vulnerability: |
Mail Client |
This vulnerability occurs when an email uses a 'CLSID' as an extension.
A CLSID is a long string that identifies a certain program (such as Notepad),
and using the CLSID instead of a standard file extension will cause Windows
to use the program identified by the CLSID to open the file. Windows will
not display the CLSID extension, so a file with an innocent name such
as "cutedog.jpg" could cause another program to run. |
| Conflicting Encoding Vulnerability: |
Mail Server |
This vulnerability occurs when the headers of an email claim that two
or more different encoding types are used. A MIME segment can only be
encoded in one way, so if there are more than one encoding types listed,
it is possible that the mailserver virus scanner and the mail client will
use different decoding methods on the email. If this happens, a virus
could bypass virus scanning on the mailserver. |
| Outlook 'Blank Folding' Vulnerability: |
Mail Server |
This vulnerability occurs when there is a line in the headers with
just a single space or a single tab character. Outlook can treat this
as the end of the headers, allowing it to see a virus that is embedded
in the headers. RFC2822 3.2.3 says that it is not valid to have such lines,
nor is there any legitimate reason for an email to contain a blank line
in the headers with a single space or tab (note that it is OK to have
a line with a single space or tab in the email body, just not the headers). |
| Outlook 'Boundary Space Gap' Vulnerability: |
Mail Server |
This vulnerability occurs when there is a space or tab in the MIME
boundary. This is not RFC-compliant, but Outlook will treat it as valid
and be able to see a virus that virus scanners will not usually see. There
is no legitimate reason for an email to be formed like this. |
| Outlook 'CR' Vulnerability: |
Mail Server |
This vulnerability occurs when an email contains a single 'CR' character
within the email headers (as opposed to a 'CR' followed by an 'LF', which
is used to end a line in SMTP). Outlook can treat this as the end of the
headers, which would allow Outlook to see a virus that was embedded in
the headers. RFC2822 2.2 says that CR and LF characters cannot appear
alone in the headers. Also, there is no legitimate reason for an email
to contain a lone 'CR' in the headers. |
| Outlook 'Long Boundary' Vulnerability: |
Mail Server |
This vulnerability occurs when an email has a MIME boundary that is
longer than allowed by the RFCs. Outlook may see a virus when a virus
scanner will not. There is no legitimate reason for an email to be sent
like this. |
| Outlook 'Long Filename' Vulnerability: |
Mail Client |
This vulnerability occurs when an email has an attachment with a name
longer than 256 characters long. When this occurs, it is possible for
Outlook not to see the correct file extension, causing Outlook to think
that a dangerous email is actually safe. |
| Outlook 'MIME header' Vulnerability: |
Mail Client |
This vulnerability occurs when certain safe MIME types are used, but
a potentially dangerous file type is attached. Outlook may execute the
attachment automatically, without looking at its file extension. There
is no legitimate reason for an email to be sent like this, and a number
of viruses use this vulnerability. |
| Outlook 'MIME segment in MIME postamble' Vulnerability: |
Mail Server |
This vulnerability occurs when it appears as though a MIME segment
is occurring after the end of the MIME body (specifically, a MIME segment
with a boundary other than the one specified appears in the MIME postamble).
Outlook may see this as an attachment. Although technically valid, there
is no legitimate reason for an email to be sent like this. |
| Outlook 'MIME segment in MIME preamble' Vulnerability: |
Mail Server |
This vulnerability occurs when it appears as though a MIME segment
is occurring before it should (specifically, a MIME segment with a boundary
other than the one specified appears in the MIME preamble). Outlook may
see this as an attachment. Although technically valid, there is no legitimate
reason for an email to be sent like this. |
| Outlook 'Space Gap' Vulnerability: |
Mail Server |
This vulnerability occurs when there is a space in one of the MIME
headers where there is not normally a space (such as "Content-Type :"
instead of "Content-Type:"). This is not RFC-compliant, but Outlook will
treat it as valid and be able to see a virus that virus scanners will
not usually see. There is no legitimate reason for an email to be formed
like this. |
| Partial (Fragmented) Vulnerability: |
Mail Server |
This vulnerability occurs when one email is split into separate parts,
each in a separate email. Although this is legal, it will bypass virus
scanners, and therefore will likely soon be deprecated. |
Vulnerability Type Legend:
Mail Client Vulnerability - A vulnerability that can cause problems (such
as a virus that can run automatically) when malicious email is sent to certain
mail clients. However, if the email contains a known virus, it will be caught
by a mailserver virus scanner. It is nice if mailserver AV programs catch these,
but not vital.
Mail Server Vulnerability - A vulnerability that can cause problems (such
as a virus that can run automatically) when malicious email is sent to certain
mail clients. A mailserver virus scanner will
not be able to detect viruses
that are in these vulnerabilities. Therefore, it is very important that mailserver
AV programs detect these vulnerabilities.
