New Attack on E-mail Infrastructure Identified

An information security consultant said Wednesday he’s discovered a serious flaw in network security and anti-virus software products — a flaw that could threaten the Internet’s e-mail infrastructure.

According to Robert Rosenberger, he’s developed an e-mail-borne attack which can potentially defeat most major security products — not by slipping by undetected, but by attacking the security software head-on as it tries to scan email attachments.

While most security software products can successfully protect themselves against code that tries to disable them, Rosenberger claims they also contain programming errors which render them unable to handle what he calls “pathological events”.

One example is a recursive e-mail attachment, or multiple attachments within attachments. According to Rosenberger, when security products encounter such specially crafted files at the local or server level, most will crash, and take the operating system with them.

“I know of products where I can own the box, just by sending an e-mail that nobody receives. I can own the e-mail server, the gateway server — anything that’s part of the e-mail infrastructure,” Rosenberger said.

Besides consulting to corporations and government agencies, Rosenberger is the author of the Computer Virus Myths Web site which critizies anti-virus software vendors for whipping up what he calls virus hysteria in an attempt to boost sales.

Rosenberger recently notified Network Associates, Symantec, and several other major antivirus software vendors about his findings and most have promptly responded by upgrading their products to thwart the attack, which he calls the E-mail Infrastructure Security vulnerability. Officials of the firms were not immediately available for comment.

A representative of the Computer Incident Advisory Capability (CIAC) Wednesday said that organization was not aware of Rosenberger’s findings. Officials from the Computer Emergency Response Team (CERT) were not immediately available for comment.

While he hasn’t publically released information about his exploit, Rosenberger says others could potentially discover similar flaws.

“In about three weeks, every wannabe hacker on the planet is going to know about this and post some kind of sample file, and they’re going to be a lot better than mine.”

News Around the Web