[Mimedefang] OT: a hole in Sophos
Michael Sofka
sofkam at rpi.edu
Fri Feb 13 14:15:38 EST 2004
On Friday 13 February 2004 04:44, Andrzej Marecki wrote:
> I'm using MD+SA+Sophie+Sophos (SAVI libs + .ide).
> Do you think that what has been written in:
>
> http://www.securitynewsportal.com/cgi-bin/securitynews.cgi?database=JanDD&i
>d=74
>
> ...means my system is vulnerable to attacks via that hole?
We have noticed this on our system. It seems to only be happening
when cpu-damaged anti-virus programs bounce back a copy of the virus
as text. Sophos lets it through because it is not an attachment
(I've tried sweep against the entire body of the message, so it
isn't just a matter of MIME:Tools not extracting the virus.)
Norton, however, does detect it.
But, Norton does not always do the right thing once the message is detected.
For Eudora users, it removes the entire in.mbx file. Even though, in order
to run the virus, a Eudora user would have to: Save the message, find and
run a binhex decoder on the body of the message, and double click on the
resulting file. In my opinion, the user smart enough to do steps one and
two, but clueless enough to do step three doesn't exist.
Still, it would be nice to catch these. But, my view is that the fault
is not entirely Sophos, and I would rather run message bodies against
a binhex extractor to catch fragments missed by MIME:Tools.
BTW, When MyDoom first came out we tested Norton and it also missed
MyDoom embedded as text. An update last week seems to have changed
NAV's behavior, leading to the deleted in.mbx problem.
Mike
--
Michael D. Sofka sofkam at rpi.edu
C&CT Sr. Systems Programmer Email, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY. http://www.rpi.edu/~sofkam/
More information about the MIMEDefang
mailing list