The most dangerous email attachments aren't for humans

Summary:We like to poke fun at people who continue to foolishly click on those e-mail attachments that keep infecting them over and over again. The last thing you would expect are security products -- designed to protect us from infected email in the first place --that foolishly open up e-mail attachments that can infect them.

We like to poke fun at people who continue to foolishly click on those e-mail attachments that keep infecting them over and over again. The last thing you would expect are security products -- designed to protect us from infected email in the first place --that foolishly open up e-mail attachments that can infect them. Within the last couple of weeks, Symantec, F-Secure, and Trend Micro announced that their anti-virus scanning softwarehave vulnerabilities in their decompression engines that allow them to be compromised simply by attempting to decompress messages so thatthey may scan the contents of those messages. Symantec was a little more severely impacted because a much larger percentage of their products are vulnerable to the UPX parsing engine heap overflow ranging from server- to client- to gateway-scanning products. Trend Micro and F-Secure were hit with their own ARJ parsing vulnerabilitiesthat affected their server and gateway products.

The scary thingabout these types of attachmentsisthat they requireno user participation to trigger the exploit. All that needs to be done is for a hacker or worm to simply send a specially crafted UPX or ARJ attachment to their victims' domains, and any unpatched anti-virus software thattries to decompressit will get infected and your security assetbecomes your security liability. The only way to fix this vulnerability is to update your anti-virus scanning engines, which requires some manual labor foreach and every computer. What I would recommend for the short term, until all systems are patched, is to simply block all UPX attachments at the main gateway if you use Symantec and block all ARJ attachments if you use Trend Micro or F-Secure. Most users have never even heard of the ARJ compression format let alone UPX compression, so I doubt it will be missed in the short term.

Topics: Security

About

George Ou, a former ZDNet blogger, is an IT consultant specializing in Servers, Microsoft, Cisco, Switches, Routers, Firewalls, IDS, VPN, Wireless LAN, Security, and IT infrastructure and architecture.

Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.