[Fwd: [SA18368] Microsoft Outlook / Exchange TNEF Decoding Arbitrary Code Execution Vulnerability]

Carl Andrews carl.andrews at CRACKERBARREL.COM
Wed Jan 11 22:06:38 GMT 2006 

Thanks Everyone!

On Wed, 2006-01-11 at 21:58 +0000, Julian Field wrote:
> Kevin Miller wrote:
> 
> >Julian Field wrote:
> >  
> >
> >>That one got me very worried. I checked to see that blocking tnef
> >>master-files worked, and it appeared not to. So loads of debugging
> >>later, I finally find I had commented out the filename.rules.conf and
> >>filetype.rules.conf settings in MailScanner.conf.
> >>Grrrr.... but also Phew!
> >>:-(   :-)
> >>
> >>Blocking these in filename.rules.conf and filetype.rules.conf works
> >>just fine.
> >>If you block them in filetype.rules.conf you need to block 2
> >>different strings to be sure to always block them on Linux systems,
> >>as some of these have 2 entries for the same filetype in /usr/share/
> >>magic:
> >>TNEF
> >>Transport Neutral Encapsulation Format
> >>
> >>Also, now you see why I insist on tabs separating the 4 fields and
> >>not just spaces :-)
> >>
> >>I would advise blocking them in filename.rules.conf and
> >>filetype.rules.conf to be safe.
> >>    
> >>
> > 
> >Quick reality check here.  In filename.rules.conf I'd use
> >deny	\winmail.dat$	Windows TNEF security vulnerability
> >Possible buffer overflow in Windows
> >  
> >
> Should be winmail\.dat$
> 
> >and in filetype.rules.conf something like:
> >
> >deny    TNEF            No Windows TNEF         No Winmail.dat files
> >allowed
> >deny    Transport Neutral Encapsulation Format  No Windows TNEF
> >No Winmail.dat files allowed
> >  
> >
> Correct.
> 
> >(Paying attention to the distinction between tabs and spaces as
> >mentioned above, which Outlook may strip out when I send this)
> >
> >TIA...
> >
> >...Kevin
> >  
> >
> 
> -- 
> Julian Field
> www.MailScanner.info
> Buy the MailScanner book at www.MailScanner.info/store
> Professional Support Services at www.MailScanner.biz
> MailScanner thanks transtec Computers for their support
> 
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> 
> 

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list