Clearswift has updated its popular Mailsweeper e-mail-filtering product, tightening up handling of particular compressed file formats that could be used to slip malicious code into a business network.
But while Clearswift was careful to characterize the change as a routine update, security researchers accused the company of fixing a security hole and hoping no one would notice.
Clearswift's hotfix for Mailsweeper 4.3.15 is available directly from the company.
Security has become a sensitive issue in the enterprise, with corporate networks battered by ever-more-damaging virus outbreaks, and some companies have been criticized for attempting to maintain a reputation for good security by keeping their own vulnerabilities out of the spotlight.
In May,for example, security researchers warned of two serious bugs in Apple Computer's Mac OS X operating system, and were dismayed when Apple went out of its way to downplay the seriousness of the problem.
Clearswift said this week that its Mailsweeper update allows the tool to identify several relatively new compressed file formats that had been left out of the earlier product. But the company said these formats didn't previously pose a problem. "The file types highlighted would come through as
unknown and would be put into quarantine, so there is no vulnerability," said Clearswift product director Andy Morris. Morris added that, in any case, the file types are rarely encountered in the wild.
Martin O'Neal of U.K.-based security firm Corsaire painted a different picture. Versions of Mailsweeper prior to 4.3.15 -- that is, prior to Clearswift's update last week -- are vulnerable to attacks by several types of compressed files because the product does not detect the presence of the files. In some cases Mailsweeper also does not identify the name of file attachments when they are encoded, O'Neal said in an advisory.
In Corsaire's tests, Mailsweeper didn't block potentially malicious executable files encoded in some compression formats, despite Clearswift claiming compatibility with those formats. "By virtue of the encoding formats not being detected, the container and the contents are passed through the system without being analyzed," O'Neal said in the advisory.
Newer formats such as 7ZIP and ACE were not detected, while the TAR format, listed as compatible with Mailsweeper, produced an error in the product, O'Neal said. He said some formats, such as RAR and ZIP, that were listed as being compatible, were version-dependent -- the product didn't support newer versions of the formats.
Another security firm agreed that the unsupported file types appeared to pose a threat. "The fact that a file format isn't very common is hardly an excuse when the product lists support for those file types on the product information page," said Thomas Kristensen, chief technical officer of Secunia. "Also, some of the formats are supported by WinZip, allowing most users to open the files." In its own advisory,
Secunia ranked the issue "moderately critical".
O'Neal also criticized Clearswift for its unresponsiveness. "After months of requesting a status update on these issues (without any response), the patches for these vulnerabilities have been released without any discussion or coordination with ourselves, and as is becoming the norm, completely unattributed," he wrote in the advisory.
Clearswift's Morris said the company was aware of Morris' research, but had already planned the update, so felt no need for attribution. The company has a policy of working with security researchers and crediting them, he said, but tends not to "stand up and sing and dance" about security problems.
"We are not as widely deployed as Microsoft, so we don't have to be up-front," Morris said.