The U.K. government agency responsible for protecting the country's electronic infrastructure has warned of a wide range of flaws affecting products that rely on MIME, one of the Internet's basic protocols.
Software such as e-mail clients, Web browsers, anti-virus products, and mail and Web content checkers could be at risk because of the way they implement MIME (Multipurpose Internet Mail Extensions), a standard for encoding email attachments and HTTP content, according to the alert from the Unified Incident Reporting and Alert Scheme (UNIRAS).
UNIRAS identified eight ambiguities in MIME which could allow dangerous content to slip past detection systems. Information security consultancy Corsaire, which provided the research to the NISCC, didn't specify which products were affected, but both organizations said vulnerabilities were widespread.
"If a content checker were to parse a MIME message incorrectly and to allow the content to pass through the checker based on an incorrect assessment of its MIME type, the security of the content checker could be bypassed," UNIRAS said in its advisory. "If this happened or a content checker was not used, the receiving client could crash or execute arbitrary code if it also parsed the MIME incorrectly."
Corsaire identified the vulnerabilities between June and August of 2003 and the NISCC been working with affected vendors since then, many of whom have already silently released patches, Corsaire said. The firm said that if companies have kept up to date with patches on their MIME-based products, they should be protected. However, the situation is awkward for IT managers -- the only way for them to be sure they aren't affected is to contact their vendors for a statement, Corsaire said.
A Corsaire representative told Techworld the company could not identify affected vendors due to business confidentiality requirements.
A handful of software vendors provided statements to UNIRAS clarifying the status of their MIME-based products, with Apple Computer, Fujitsu , Hewlett-Packard, IBM, MessageLabs and Sun Microsystems' Mozilla browser team all saying their products were not affected.
PLDaniels Software said versions of its ripMIME product prior to 220.127.116.11 were affected by several of the issues, but the problems have now been fixed. F-Secure Corp. said its workstation products aren't vulnerable, but the F-Secure Internet Gatekeeper failed in four of the tests and would be fixed with release 6.41 this autumn.
The problems, detailed in UNIRAS' advisory, arose from anomalous parameter values in MIME headers and MIME encodings that don't parse correctly, UNIRAS said. "This kind of deliberate corruption has already been used by a number of high-profile viruses and worms, such as Nimda, Netsky and Badtrans," Corsaire said in a statement.