Due to the scale and seriousness of this issue - and the requirement for coordination of vendors with compromised products - Corsaire passed its findings to the UK National Infrastructure Co-ordination Centre (NISCC) team, which is expected to release full details to the public at noon today (Monday 13 September 2004).
The MIME vulnerabilities were discovered during a recent Corsaire project to assess the suitability of the email systems used by a large insurance company. The scope of the project was to identify any weaknesses in the organisation's controls for limiting the types of data sent via email and identifying malicious content, such as viruses.
During this investigation bespoke tools developed by Corsaire were used to test the system's ability to identify standard and non-standard document formats, and also deliberately malformed MIME encapsulation. The MIME flaws came to light when the same tools were applied to a variety of contemporary mail gateway products. The end result was the discovery of 14 fundamental MIME implementation issues, with 190 discrete attack vectors, Corsaire warned.
"In specific terms, these were used to identify over 1000 individual vulnerabilities in only ten common MIME gateway products. At the last count Corsaire was aware of around 90 separate vendors producing MIME products that will also likely be affected," Corsaire said in a prepared statement.
The link for this article located at Rob Jaques is no longer available.
