Various Vulnerabilities in ZoneAlarm MailSafe

Tuesday April 2, 2002

Various Vulnerabilities in ZoneAlarm MailSafe
*****************************************************
 
Scope
-----------
Edvice recently tested ZoneLabs ZoneAlarm Pro ability to detect and
quarantine incoming e-mail attachments that may contain malicious code
or viruses. This functionality is provided by ZoneAlarm's MailSafe
feature.
 
The Findings
--------------------
We encountered several vulnerabilities in ZoneAlarm 3.0 MailSafe. The
vulnerabilities allow bypassing ZoneAlarm's e-mail protection.
 
Details
--------------
Most of the vulnerabilities we encountered are known Email Filters
attack techniques and there is no point in explaining them again.
However, there is one issue worth mentioning:
 
It is possible to bypass ZoneAlarm Email Protection by appending a dot
to the file name extension (e.g. malicious.exe becomes malicious.exe.).
The dot changes the file name extension and MailSafe fails to compare it
with known dangerous extensions. The MS-Windows operating system on the
other hand disregards a dot at the end of a file name. When Windows is
given a file name ending with a dot, it will automatically remove the
dot from the file name extension. When Outlook or Outlook Express
receives a file name that ends with a dot, it will present the dot, but
will launch the appropriate application when the file is double-clicked,
as if the dot does not exist.
 
Vendor Status
----------------------
ZoneLabs was first contacted on January 26, 2002.
A fix (v3.0.118) for most of the vulnerabilities we encountered,
including the one mentioned above, is available through ZoneAlarm's
Check for Update feature as from yesterday. ZoneLabs is still working on
one of the vulnerabilities and a fix is expected soon.

HTML Version: http://www.edvicesecurity.com/ad02-02.htm