[Fwd: [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution Vulnerability]

Julian Field MailScanner at ecs.soton.ac.uk
Wed Jan 11 21:58:22 GMT 2006 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Kevin Miller wrote:

>Julian Field wrote:
>  
>
>>That one got me very worried. I checked to see that blocking tnef
>>master-files worked, and it appeared not to. So loads of debugging
>>later, I finally find I had commented out the filename.rules.conf and
>>filetype.rules.conf settings in MailScanner.conf.
>>Grrrr.... but also Phew!
>>:-(   :-)
>>
>>Blocking these in filename.rules.conf and filetype.rules.conf works
>>just fine.
>>If you block them in filetype.rules.conf you need to block 2
>>different strings to be sure to always block them on Linux systems,
>>as some of these have 2 entries for the same filetype in /usr/share/
>>magic:
>>TNEF
>>Transport Neutral Encapsulation Format
>>
>>Also, now you see why I insist on tabs separating the 4 fields and
>>not just spaces :-)
>>
>>I would advise blocking them in filename.rules.conf and
>>filetype.rules.conf to be safe.
>>    
>>
> 
>Quick reality check here.  In filename.rules.conf I'd use
>deny	\winmail.dat$	Windows TNEF security vulnerability
>Possible buffer overflow in Windows
>  
>
Should be winmail\.dat$

>and in filetype.rules.conf something like:
>
>deny    TNEF            No Windows TNEF         No Winmail.dat files
>allowed
>deny    Transport Neutral Encapsulation Format  No Windows TNEF
>No Winmail.dat files allowed
>  
>
Correct.

>(Paying attention to the distinction between tabs and spaces as
>mentioned above, which Outlook may strip out when I send this)
>
>TIA...
>
>...Kevin
>  
>

-- 
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
Professional Support Services at www.MailScanner.biz
MailScanner thanks transtec Computers for their support

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list