Email attachments that use the popular MIME standard could contain malware that bypasses some of the industry's best-known antivirus filters, a security researcher said yesterday.
German researcher Hendrik Weimer, author of Quantenblog, reported a discrepancy between MIME messaging systems and AV applications -- including BitDefender, ClamAV, and Kaspersky's Antivirus for Linux -- that could cause users to contract malware even when they use the AV software.
The report raises some old concerns about MIME, which came under fire two years ago for a broad range of vulnerabilities that required a long round of patching.
The new flaw could be significant, Weimer says in his blog. "From time to time, a vulnerability is found in a virus scanner that allows an attacker to disguise malicious content," he says. "Much rarer are discoveries of new attack classes that are able to blindfold not one, but many virus scanners. Here is one."
The Multipurpose Internet Mail Encoding standard was written in the days when email was text-only, and only guaranteed that seven of each eight bits in a byte would make it through, explains the SANS Institute, which has studied Weimer's discovery. To ensure the integrity of each attachment, MIME encodes eight-bit content into seven-bit email messages, using an encoding scheme with an "alphabet" of 64 characters.
"If you come across a character that isn't a part of your alphabet, you're supposed to ignore it and move on," the SANS Institute says. "The problem arises when an AV engine doesn't follow this standard, but the email program does. The AV engine doesn't scan the attachment properly, but the email program presents the fully-decoded attachment for the end-user's clicking pleasure."
In simpler terms, the discovery means that some AV apps could allow users to receive attachments infected with malware -- even malware that isn't zero-day.
The flaw is a new problem for the widely-used MIME, which came under fire two years ago when security consultancy Corsaire uncovered more than 800 vulnerabilities in MIME-based email apps and gateway products. The vulnerabilities, which consisted of 190 attack vectors arising from 14 core flaws in MIME, were subsequently patched in most email and virus scanning tools. Several other MIME flaws have been reported in the past year, but most were not considered critical.
The new vulnerability probably applies to other virus scanners as well, Weimer says, though he hasn't tested them yet. Although AV vendors have not yet responded to the vulnerability report, Weimer recommends a workaround: Use a separate daemon that employs a different method of MIME decoding, such as the open source amavisd-new.
Tim Wilson, Site Editor, Dark Reading