- A fake extension structure intended to get around filtering software
- A fake visible extension to trick people into opening an attachment by making it appear safe, when it actually contains a virus or another malicious payload
This exploit does not work in the full version of Outlook; it works only on Outlook Express. MessageLabs reports finding this vulnerability in Outlook Express versions 6.00.2800.1106 and 6.00.26.0000 but says it didn't test other versions and that the exploit may be widespread. Risk level -- high
I rate this as a relatively high-risk vulnerability because the common use of content filters has led to a sense of complacency. Users tend to feel it is safe to open any attachment that gets through the network filters. The exploit is especially risky because even a tech savvy user might be tempted to open an infected attachment that appears to be safe, both to the user and to the filter. Mitigating factors
This exploit doesn't work with Outlook, which is generally more appropriate in a business environment. Well-trained users who know that they shouldn't open e-mail from strangers, especially when the message has an attachment, won't be at risk. The special e-mail header must be precisely formatted right down to the number and placement of blank spaces. Unfortunately, software is readily available on the Web to build the types of headers used in this attack. This means that the exploit is likely to become a favorite script kiddie attack, as more of them learn about the tools needed to execute this one. Fix -- user training
The only way you can prevent this form of attack is to either remove Outlook Express from systems or train users to follow strict guidelines when opening attachments. Final word
Explaining this sort of obscure attack vector to users in some detail can go a long way toward getting them to understand the difficulty of protecting corporate networks and the reasons for certain IT policies. User training is a lot more effective when you can take the time to really explain the reasons why it is important to do certain things -- in this case, being extra careful about attachments. Simply telling users not to open attachments, or worse yet, trying to teach them to identify "safe" attachments by their extensions won't make nearly as strong an impression as showing them how attackers can trick them even when they try to follow the rules about not opening executable attachments. Of course, you may not have the time or permission from management to undertake this kind of training. In that case, you need to repeatedly reinforce the e-mail rules with memos from the IT department, especially just before holidays such as Valentine's Day and Easter, which are likely to generate a flood of personal messages -- and hacker e-mails masquerading as personal messages.
For a weekly round-up of the enterprise IT news, sign up for the
Enterpise newsletter. Find out what's where in the new Tech Update with our
Guided Tour. Tell us what you think in the
Enterprise Mailroom.
Enterpise newsletter. Find out what's where in the new Tech Update with our
Guided Tour. Tell us what you think in the
Enterprise Mailroom.
