Initial Publication Date: Advisory Status: Advisory Severity: Legacy ID
3 Apr 2002 Closed Low
The SECURITY.NNOV security group recently disclosed a potential way to bypass the incoming mail scan capabilities of Symantec Norton AntiVirus 2002 by using a non-RFC compliant format in the MIME header.
SECURITY.NNOV tested Symantec Norton AntiVirus 2002 and reported that they could bypass the incoming mail scan capability by using a non-RFC compliant case in the incoming MIME header. According to SECURITY.NNOV, most mail user agents (MUA), the mail handler software that interfaces with the user, ignore the case of Content-Type and Content-Disposition headers while some content filtering software behaves in different ways to the non-RFC compliant headers. By mixing the case of the Content-Type and Content-Disposition headers as in the following example:
SECURITY.NNOV reported that the incoming mail scan capability in Symantec Norton AntiVirus 2002 could be bypassed
Symantec researched this issue and feels that there are some basic misunderstandings concerning the impact of the SECURITY.NNOV findings.
Previous issues concerning non-RFC compliant MIME headers bypassing incoming mail scanning in versions of Symantec Norton AntiVirus 2002 have been reported, analyzed and repaired. While, the non-RFC compliant MIME header reported by SECURITY.NNOV impacted earlier releases of Symantec Norton AntiVirus 2002, systems running Symantec Norton AntiVirus 2002 with the latest updates are not vulnerable to the SECURITY.NNOV issue.
Additionally, Symantec Norton AntiVirus products provide multiple-layered scanning protection. Symantec customers are not in any danger of being infected through any of the non-RFC compliant issues reported. Were malicious code to be hidden in such a manner as to bypass the initial email scan, the malicious virus or code would be detected by real-time scans if the file was saved on the targeted system. Additionally, attempts to execute the malicious code would cause Symantec Auto-Protect to alert.
That said, Symantec takes the security of its products very seriously. Ensure that you are running Symantec Norton AntiVirus 2002 with the latest updates for full protection against this issue.
Symantec recommends the following Best Practices to enhance the protection of your computers from unauthorized access:
Keep vendor-supplied patches for all software up-to-date.
Be wary of mysterious attachments and executables delivered from email, user groups, and so on.
Do not open attachments or executables from unknown sources. Always err on the side of caution.
Even if the sender is known, be wary of attachments if the sender does not explain the attachment content in the body of the email. You do not know the source of the attachment.
If in doubt, contact the sender before opening the attachment. If still in doubt, delete the attachment without opening it.
Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the identification of potential areas of concern so it can quickly address the issue.
This is machine translated content
Login to Subscribe
Please login to set up your
Would you like to be subscribed to future notifications for this article?
For security reasons, your link to this document has expired. Please click on the attachment link to access this file.
The attachment that you are looking for no longer exists.
There has been an issue retrieving your attachment. Please try again.
Currently server is down.
Didn't find the article you were looking for? Try these resources.