Is MS vulnerable to this Unicode trick?

Mark Sapiro mark at
Sun May 15 17:26:11 IST 2011

On 11:59 AM, Beauchemin, Denis wrote:
> Martin,
> Not everybody is using “file”. I think those that don't use it are probably vulnerable.

According to my tests with MailScanner 4.83.5, they are not.

I created a file with name 'abcdef\u202B\u202Ecod.exe' where
\u202B\u202E are the unicode right-to-left embedding and right-to-left
override codes respectively. This file displays in Windows explorer as
an 'executable' icon, and the name appears as 'abcdefexe.doc'.

I then used Thunderbird to send myself an email with the file attached.
Thunderbird attached the file as

Content-Type: application/x-msdownload;
Content-Transfer-Encoding: base64
Content-Disposition: attachment;

Note the name= parameter is RFC 2047 encoded and the filename= is RFC
2231 encoded, but both decode to the 'abcdef\u202B\u202Ecod.exe' name.

Mailscanner 4.83.5 removed the attached file and logged the following:

May 15 08:49:34 sbh16 MailScanner[21254]: Filename Checks: Windows/DOS
Executable (89E3D6900B1.AAACB abcdef��cod.exe)
May 15 08:49:34 sbh16 MailScanner[21254]: Saved entire message to
May 15 08:49:34 sbh16 MailScanner[21254]: Saved infected
"abcdef%%E2%%80%%AB%%E2%%80%%AEco.exe" to

There seems to be an issue of some kind in that in the third log message
above, the name is reported as "abcdef%%E2%%80%%AB%%E2%%80%%AEco.exe"
which is missing the 'd' in cod.exe, and in the message to the user, the
name is even more garbled as

At Sun May 15 08:49:34 2011 the virus scanner said:
   MailScanner: Executable DOS/Windows programs are dangerous in email

but the .exe extension was properly recognized.

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list