Outlook Express Lets Attackers Skirt Filters

A feature in Microsoft's Outlook Express mail client allows attackers to sneak malicious code past filters and anti-virus apps.

A feature in Microsoft Corp.s Outlook Express mail client that enables users to send large e-mails in several parts can also be used by virus writers and attackers to sneak malicious code past filters and anti-virus software.

The feature is disabled by default but can be enabled with a few mouse clicks from the Tools drop-down menu. The tool is meant mainly for users on slow, dial-up connections who need to send large e-mails. When enabled, it breaks messages into two or more parts, sends them to the recipient, whose mail client then automatically reassembles them into one message before delivery.

The problem is that some anti-virus scanners and SMTP content-filtering applications do not perform the reassembly before scanning the messages. This allows an attacker to bypass such filters and send a virus, Trojan or any other type of file that might ordinarily be banned from a corporate network, according to an advisory published Thursday by Beyond Security Ltd., an Israeli security company.

This issue is not a vulnerability in Outlook Express. Rather, it is a failing of the various AV and filtering products.

The fragmentation feature is documented in IETF RFC 2046 as "Message Fragmentation and Reassembly."

Among the products known to be vulnerable to this method are TrendMicro Inc.s InterScan VirusWall 3.5 for NT and GFI Software Ltd.s MailSecurity for Exchange/SMTP 7.2. Both companies have issued patches, which are available at their respective Web sites.

MIMEDefang, a Linux-based SMTP filter from Roaring Penguin Software Inc., is also vulnerable. The company has released an updated version to fix the problem.

Related Stories:

  • Microsoft Puts Out Patch for Windows Flaw
  • More Security Coverage