The most dangerous email attachments aren't for humans

The most dangerous email attachments aren't for humans

Summary: We like to poke fun at people who continue to foolishly click on those e-mail attachments that keep infecting them over and over again. The last thing you would expect are security products -- designed to protect us from infected email in the first place --that foolishly open up e-mail attachments that can infect them.

SHARE:
TOPICS: Security
11

We like to poke fun at people who continue to foolishly click on those e-mail attachments that keep infecting them over and over again. The last thing you would expect are security products -- designed to protect us from infected email in the first place --that foolishly open up e-mail attachments that can infect them. Within the last couple of weeks, Symantec, F-Secure, and Trend Micro announced that their anti-virus scanning softwarehave vulnerabilities in their decompression engines that allow them to be compromised simply by attempting to decompress messages so thatthey may scan the contents of those messages. Symantec was a little more severely impacted because a much larger percentage of their products are vulnerable to the UPX parsing engine heap overflow ranging from server- to client- to gateway-scanning products. Trend Micro and F-Secure were hit with their own ARJ parsing vulnerabilitiesthat affected their server and gateway products.

The scary thingabout these types of attachmentsisthat they requireno user participation to trigger the exploit. All that needs to be done is for a hacker or worm to simply send a specially crafted UPX or ARJ attachment to their victims' domains, and any unpatched anti-virus software thattries to decompressit will get infected and your security assetbecomes your security liability. The only way to fix this vulnerability is to update your anti-virus scanning engines, which requires some manual labor foreach and every computer. What I would recommend for the short term, until all systems are patched, is to simply block all UPX attachments at the main gateway if you use Symantec and block all ARJ attachments if you use Trend Micro or F-Secure. Most users have never even heard of the ARJ compression format let alone UPX compression, so I doubt it will be missed in the short term.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • *shaking head*

    If I could ONLY get games for Linux, I would leave this M$ world behind . . . :(
    Roger Ramjet
    • I did it differently

      It's cheaper to buy *ALL* the consoles than keep a computer updated for games. Every once in a while I'll try stuff with WINE, but considering how old my Linux box is, It's few and far between that I attempt it.
      rpmyers1
    • Nothing to do with OS

      Where did the word Microsoft get mentioned in my blog? This has absolutely nothing to do with Microsoft. Microsoft has nothing to do with this. These vulnerabilities even affect UNIX, Linux, and Windows versions of Trend Micro Server and Gateway based products.
      george_ou
      • Really?

        "Microsoft has nothing to do with this."

        Why are we scanning for virii in the first place? ;-)
        Richard Flude
        • There would be viruses without MS

          If MS never existed today or had lost the OS wars to IBM in the late 80s, do you honestly believe that there would not be viruses today?
          george_ou
          • No, but

            "If MS never existed today or had lost the OS wars to IBM in
            the late 80s, do you honestly believe that there would not
            be viruses today?"

            No, but if MS would allow administrators to restrict non-
            admin users from executing attachments, or files download
            by other means, the virus threat would disappear in
            managed (eg corporate) environments. Maybe one day:-(
            Richard Flude
          • Non-admin priviliges should be default

            I've run environments where users don't get admin rights by default and it does fix a lot of problems. I've recommended that Microsoft should take away admin rights by default, but it's a very difficult change to make because many applications would break. However, I say break them and force the vendors to write their applications properly to not rely on admin rights.
            george_ou
  • How to block UPX???

    Not by blocking extension UPX but by blocking extension EXE, something that you should already be doing. UPX is used to compress executable files and quite common.
    boomslang_z
    • The UPX is the problem, not the EXE

      The problem is that when an unpatched version of Symantec anti-virus software attempts to decompress the UPX file, the act of decompressing it can trigger the execution of arbitrary code. So it is the UPX that should temporarily be blocked until you have upgraded all of your Servers, Gateways, and Clients or else it's an open sore.

      In order to block file extensions, you need SMTP filtering software that can do that.
      george_ou
      • Please Explain?

        How do you block UPX when it is the actual code within the executable file that is packed with this compression routine. Are you just not UPX decompressing the .EXE file and hoping it is being stopped elsewhere or are you blocking .EXE files alltogether. The act of decompressing UPX is to actually decompress the executable code within an .EXE file isn't it?

        http://upx.sourceforge.net/

        UPX is a free, portable, extendable, high-performance executable packer for several different executable formats.

        This is not ARJ RAR or ZIP file/archive compression we are dealing with here.
        boomslang_z
        • We block executables period

          Thanks for your clarification. Blocking file types in general is not a solution, but a very temporary Band-Aid to buy some time. I know the user can rename the file so that it can be sent, but at least it needs a few extra clicks of the mouse and keyboard to open it. So yes, EXE is blocked at the gateway period.

          There is no substitute for patching although I'm disappointed anytime security software is vulnerable.
          george_ou