GFI MailSecurity’s Exploit Engine Safeguards Against New High Risk Outlook Vulnerability
London, UK, 11 March 2004 – GFI released an update to its email exploit engine today which can detect any viruses that exploit a newly discovered Outlook 2002 vulnerability. The new Outlook vulnerability, MS04-009, was yesterday upgraded to “high risk” by Microsoft Corp., which issued a patch against it on Tuesday (more details at http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx). The vulnerability is related to the way mailto URLs are handled and could allow Internet Explorer to execute code on affected machines.
To exploit this vulnerability, attackers could simply create an HTML email that either lures the recipient into clicking a link in the message body or that contains a fake image that can automatically launch a link without requiring user intervention. The payload of such an attack could include running JavaScript under the My Computer (local) Security Zone. This means that the attacker could execute code on the local disk of unpatched machines and/or access user files.
New viruses based on this exploit can be caught by GFI’s gateway-level exploit engine
Users of GFI MailSecurity for Exchange/SMTP – GFI’s email content checking, exploit detection, threats analysis and anti-virus solution – simply need to download the latest exploit engine updates to allow GFI MailSecurity to detect any new viruses that use this exploit to propagate and infect systems. Information on how to update the GFI MailSecurity exploits database and technical information about the exploit are available at http://www.gfi.com/news/en/ms04009exploit.htm.
The difference between a virus engine and an exploit engine
Anti-virus software is designed to detect known malicious code. An email exploit engine takes a different approach: it analyses the code for exploits that could be malicious. Email exploit detection software analyzes emails for exploits – i.e., it scans for methods used to exploit the OS, email client or Internet Explorer – that can permit execution of code or a program on the user’s system. It does not check whether the program is malicious or not. It simply assumes there is a security risk if an email is using an exploit in order to run a program or piece of code.
In this manner, an email exploit engine works like an intrusion detection system for email. The email exploit engine might cause more false positives, but it adds a new layer of security that is not available in a normal anti-virus package, simply because it uses a totally different way of securing email.
An exploit engine needs to be updated less frequently than an anti-virus engine because it looks for a method rather than a specific virus. Although keeping exploit and anti-virus engines up-to-date involve very similar operations, the results are different. Once an exploit is identified and incorporated in GFI MailSecurity’s exploit engine, that engine can protect against any new virus that is based on a known exploit. That means the exploit engine will catch the virus even before the anti-virus vendor is aware of its emergence, and certainly before the anti-virus definition files have been updated to counter the attack. Further information is available at http://www.gfi.com/mailsecurity/wpexploitengine.htm.
About GFI MailSecurity for Exchange/SMTP
GFI MailSecurity for Exchange/SMTP is an email content checking, exploit detection, threats analysis and anti-virus solution that removes all types of email- borne threats before they can affect an organization’s email users. GFI MailSecurity’s key features include multiple virus engines, to guarantee higher detection rate and faster response to new viruses; email content and attachment checking, to quarantine dangerous attachments and content; an exploit shield, to protect against present and future viruses based on exploits (e.g., Nimda, Bugbear); an HTML threats engine, to disable HTML scripts; a Trojan & Executable Scanner, to detect malicious executables; and more. Further information and a full evaluation version are available at http://www.gfi.com/mailsecurity/.
About GFI
GFI is a leading provider of Windows-based network security, content security and messaging software. Key products include the GFI FAXmaker fax connector for Exchange and fax server for networks; GFI MailSecurity email content/exploit checking and anti-virus software; GFI MailEssentials server-based anti-spam software; GFI LANguard Network Security Scanner (N.S.S.) security scanning and patch management software; GFI Network Server Monitor that automatically sends alerts, and corrects network and server issues; and GFI LANguard Security Event Log Monitor (S.E.L.M.) that performs event log based intrusion detection and network-wide event log management. Clients include Microsoft, Telstra, Time Warner Cable, Shell Oil Lubricants, NASA, DHL, Caterpillar, BMW, the US IRS, and the USAF. GFI has offices in the US, the UK, Germany, Cyprus, Romania, Australia and Malta, and operates through a worldwide network of distributors. GFI is a Microsoft Gold Certified Partner and has won the Microsoft Fusion (GEM) Packaged Application Partner of the Year award.