[Fwd: [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution Vulnerability]

Kevin Miller Kevin_Miller at CI.JUNEAU.AK.US
Wed Jan 11 21:16:29 GMT 2006 

Julian Field wrote:
> That one got me very worried. I checked to see that blocking tnef
> master-files worked, and it appeared not to. So loads of debugging
> later, I finally find I had commented out the filename.rules.conf and
> filetype.rules.conf settings in MailScanner.conf.
> Grrrr.... but also Phew!
> :-(   :-)
> 
> Blocking these in filename.rules.conf and filetype.rules.conf works
> just fine.
> If you block them in filetype.rules.conf you need to block 2
> different strings to be sure to always block them on Linux systems,
> as some of these have 2 entries for the same filetype in /usr/share/
> magic:
> TNEF
> Transport Neutral Encapsulation Format
> 
> Also, now you see why I insist on tabs separating the 4 fields and
> not just spaces :-)
> 
> I would advise blocking them in filename.rules.conf and
> filetype.rules.conf to be safe.
 
Quick reality check here.  In filename.rules.conf I'd use
deny	\winmail.dat$	Windows TNEF security vulnerability
Possible buffer overflow in Windows

and in filetype.rules.conf something like:

deny    TNEF            No Windows TNEF         No Winmail.dat files
allowed
deny    Transport Neutral Encapsulation Format  No Windows TNEF
No Winmail.dat files allowed

(Paying attention to the distinction between tabs and spaces as
mentioned above, which Outlook may strip out when I send this)

TIA...

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list