Full Disclosure mailing list archives
Re[2]: Re: email attack vector just got wider
From: phased <phased () mail ru>
Date: Wed, 27 Apr 2005 03:56:49 +0400
<img src="http://www.knightofavl.com/images/ChrissirhC.jpg"> -----Original Message----- From: "Randall M" <randallm () fidmail com> To: "'Micheal Espinola Jr'" <michealespinola () gmail com>,"'Full Disclosure'" <full-disclosure () lists grok org uk> Date: Tue, 26 Apr 2005 18:39:51 -0500 Subject: RE: [Full-disclosure] Re: email attack vector just got wider
Just my 2cents worth. About the only defense is using programs such as MailSecurity to block and alert when anything is encrypted or password protected. thank you Randall M "If we ever forget that we're one nation under God, then we will be a nation gone under." - Ronald Reagan _________________________________ _____ From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Micheal Espinola Jr Sent: Tuesday, April 26, 2005 11:56 AM To: Full Disclosure Subject: [Full-disclosure] Re: email attack vector just got wider an update: My latest finding is that Adobe PDF's with embedded attachments can be bundled and distributed as a Secure Electronic Envelope (eEnvelope). eEnvelopes are designed to protect documents in transit with the use of encryption. Password protected .ZIP's are typically addressed at the SMTP gateway by AV software with the option to strip or reject compressed file attachments that are not readily scan-able (due to the password protection, etc). Although Adobe recommends enabling scanning all file types in order to scan a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner is not currently going to be able to scan this encrypted content until the content has been rendered/unencrypted at the desktop. While many AV vendors have factored certain compressed archive standards into their products, I have seen no indication that this is being addressed for this relatively new and already widely deployed product. Call me a worry-wort, but I foresee this is the next "in" for malware distribution. On 4/25/05, Micheal Espinola Jr <michealespinola () gmail com> wrote: Perhaps not "just". My apologies for those that are aware of this, but it seems Adobe 6 also had this capability - although many people have been unaware of this. I recently upgrade from 5 to 7, so I missed this potential issue from the get-go. Someone pointed out to me that Symantec does have a bulletin stating that by setting your AV to "scan all files" you can detect a virus inside a file embedded into a PDF. Unfortunately, this does not address the blocking of certain attachments outright. On 4/25/05, Micheal Espinola Jr <michealespinola () gmail com <mailto:michealespinola () gmail com> > wrote: It seems most people I know haven't noticed that the new version of Adobe Acrobat (7) now allows for embedded/attached documents. Since PDF's have generally been considered a safe document format and are typically not blocked by content/attachment scanners, this now opens an email-based attack vector that anti-virus providers [to the best of my knowledge] are not currently addressing. Many thanks to Adobe for creating another issue for us to deal with, and especially for not having the forethought to coordinate with anti-virus vendors to prepare for assuredly future exploitation of the technology. -- ME2 my home: <http://www.santeriasys.net/> my photos: < <http://mespinola.blogspot.com/> http://mespinola.blogspot.com/> -- ME2 my home: < <http://www.santeriasys.net/> http://www.santeriasys.net/> my photos: < <http://mespinola.blogspot.com/> http://mespinola.blogspot.com/> -- ME2 my home: <http://www.santeriasys.net/> my photos: <http://mespinola.blogspot.com/> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- email attack vector just got wider Micheal Espinola Jr (Apr 25)
- Re: email attack vector just got wider Micheal Espinola Jr (Apr 25)
- Re: email attack vector just got wider Micheal Espinola Jr (Apr 26)
- RE: Re: email attack vector just got wider Randall M (Apr 26)
- Re[2]: Re: email attack vector just got wider phased (Apr 26)
- Message not available
- Re: Re: email attack vector just got wider Micheal Espinola Jr (Apr 27)
- Re: email attack vector just got wider Micheal Espinola Jr (Apr 26)
- Re: email attack vector just got wider Micheal Espinola Jr (Apr 25)
- Re: email attack vector just got wider Micheal Espinola Jr (Apr 25)
- Re: email attack vector just got wider psz (Apr 25)