Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

Sophos anti-virus protection bypassed with big gaping hole

Feb 12, 2004 2:44AM PST

Virus or trojan sent with no MIME boundary can slip through...

Sophos' anti-virus software can be bypassed by a virus-laden e-mail if it doesn't contain any MIME boundary definitions, the company has admitted. MIME, or Multipurpose Internet Mail Extensions, is the basic protocol used for sending graphic, audio and video on e-mail. But Sophos has found that Delivery Status Notifications generated by qmail mail servers (the second-largest in number on the Net) that are infected with the MyDoom virus slip through the anti-virus software undetected. Only qmail servers set up to include the original e-mail in the bounced e-mail will not include MIME boundary definitions and so slip through. But it still remains a significant security hole considering the number of qmail servers (around one million) and that the impact of many modern viruses and worms come from the emails automatically created by their appearance.

On top of that, a separate bug in the scanning engine means that the anti-virus software can be used to launch a denial of service attack on your PC if certain MIME headings are used. An "unexpectedly terminated MIME header" will send the application into an infinite loop, eating system resources in the process, the company said. In effect, an unpatched version of the software will soon prove a liability rather than offering any sort of protection as not only will virus writers quickly latch onto the idea but the software itself can be used to bring down your computer. Both vulnerabilities apply to the latest version of the software - 3.78 - but an updated version that patches the holes is available for download - 3.78d.

http://www.securitynewsportal.com/index.shtml

Discussion is locked