Home page logo

fulldisclosure logo Full Disclosure mailing list archives

RE: How often are IE security holes exploited?
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Fri, 13 Dec 2002 09:17:26 -0600

Nick, wasn't that Braid?  (The damn viruses all seem to run together
now, there's so many of them.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

-----Original Message-----
From: Nick FitzGerald [mailto:nick () virus-l demon co uk] 
Sent: Friday, December 13, 2002 2:15 AM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] How often are IE security 
holes exploited?

I forget exactly which offhand (perhaps the first Yaha or 
something just before it?) took advantage of the CR-only (or 
LF-only??) line break issue, in which many Unix mail servers 
will incorrectly pass what should be CRLF line-terminations 
and are otherwise invalid characters in standard SMTP 
traffic.  Several content filter and AV Email scanner parsers 
"mis-handled" these messages, missing the attachments 
entirely (why these products were not written from the 
beginning to "fail closed" has still not been satisfactorily
answered) and passing the bad messages on.  Of course, 
Outlook and/or OE "happily" saw the messages as intended and 
they would detach and run the atatchments (and of course the 
users, feeling "safe" because they knew their Email was 
scanned for bad things, happily double-clicked away...).
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]