RE: How often are IE security holes exploited?

["Schmehl, Paul L" <pauls () utdallas edu>]

Nick, wasn't that Braid?  (The damn viruses all seem to run together
now, there's so many of them.)

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/


> -----Original Message-----
> From: Nick FitzGerald [mailto:nick () virus-l demon co uk] 
> Sent: Friday, December 13, 2002 2:15 AM
> To: full-disclosure () lists netsys com
> Subject: RE: [Full-disclosure] How often are IE security 
> holes exploited?
>
> I forget exactly which offhand (perhaps the first Yaha or 
> something just before it?) took advantage of the CR-only (or 
> LF-only??) line break issue, in which many Unix mail servers 
> will incorrectly pass what should be CRLF line-terminations 
> and are otherwise invalid characters in standard SMTP 
> traffic.  Several content filter and AV Email scanner parsers 
> "mis-handled" these messages, missing the attachments 
> entirely (why these products were not written from the 
> beginning to "fail closed" has still not been satisfactorily
> answered) and passing the bad messages on.  Of course, 
> Outlook and/or OE "happily" saw the messages as intended and 
> they would detach and run the atatchments (and of course the 
> users, feeling "safe" because they knew their Email was 
> scanned for bad things, happily double-clicked away...).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html