The Trick - Content-Type: audio/x-wav; name="fzoirb.exe"

Hello

you know the trick in emails where an attachment comes with content

Content-Type: audio/x-wav; name="fzoirb.exe"

I have been receiving this attempt at an attack for quite some time now

what happens?

does the current version of outlook (or other windows email clients)
actually try to run the program automatically?

(That would be a side effect of just passing the .exe name to the shell
for execution, as passing just the .wav name would load up the default
media player, but an exe would execute the exe)

surely they must all have been patched by now

If not, anyone know which ones handle this correctly (i.e. dont just use
the shell to autoload the media player...???)

ta.

Bitstring <pan.2004.01.16.11.33.41.845967@blueyonder.co.uk>, from the
wonderful person Englander <specialaka@blueyonder.co.uk> said
>Hello
>
>you know the trick in emails where an attachment comes with content
>
>Content-Type: audio/x-wav; name="fzoirb.exe"
>
>I have been receiving this attempt at an attack for quite some time now
>
>what happens?

Try googling for 'malformed MIME header exploit'. This has been patched
ages ago, however some people appear not to apply patches, and virus
writers, like spammers, seem quite happy with a 1% success rate. Of
course the 1% who haven't patched will also have failed to run any virus
checkers.

--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.

On Fri, 16 Jan 2004 11:53:05 +0000, GSV Three Minds in a Can wrote:

> Bitstring <pan.2004.01.16.11.33.41.845967@blueyonder.co.uk>, from the

>
> Try googling for 'malformed MIME header exploit'. This has been patched
> ages ago, however some people appear not to apply patches, and virus
> writers, like spammers, seem quite happy with a 1% success rate. Of
> course the 1% who haven't patched will also have failed to run any virus
> checkers.

Yeah, patches... depends if you have just reinstalled windows ME (not
again...) and go online to get the updates and think oh, I'll just check
my email...

Got to be careful all the time. Antivirus on first... and dont check email
until all patches applied...

looks like the virus writers/hackers had a nice big window until microsoft
plugged it... (and probably opened 2 more)

rgds.

Bitstring <pan.2004.01.16.15.51.38.79818@blueyonder.co.uk>, from the
wonderful person Englander <specialaka@blueyonder.co.uk> said
>On Fri, 16 Jan 2004 11:53:05 +0000, GSV Three Minds in a Can wrote:
>
>> Bitstring <pan.2004.01.16.11.33.41.845967@blueyonder.co.uk>, from the
>
>>
>> Try googling for 'malformed MIME header exploit'. This has been patched
>> ages ago, however some people appear not to apply patches, and virus
>> writers, like spammers, seem quite happy with a 1% success rate. Of
>> course the 1% who haven't patched will also have failed to run any virus
>> checkers.
>
>Yeah, patches... depends if you have just reinstalled windows ME

Installing WinME is self inflicted injury. Give it up and migrate to XP
(or back to Win95).

--
GSV Three Minds in a Can
Outgoing Msgs are Turing Tested,and indistinguishable from human typing.

"Englander" <specialaka@blueyonder.co.uk> wrote in message newsan.2004.01.16.11.33.41.845967@blueyonder.co.uk...
> Hello

Hello.

> you know the trick in emails where an attachment comes with content

Yes.

> Content-Type: audio/x-wav; name="fzoirb.exe"

Incorrect MIME type exploit.

> I have been receiving this attempt at an attack for quite some time now

Don't feel lonely.

> what happens?

Nothing (hopefully), but the author thought it was worth a try to
include this old trick anyway. There are still plenty of broken
MS e-mail clients out there.

> does the current version of outlook (or other windows email clients)
> actually try to run the program automatically?

No, current ones are not vulnerable to this particular problem

> (That would be a side effect of just passing the .exe name to the shell
> for execution, as passing just the .wav name would load up the default
> media player, but an exe would execute the exe)

Right, sort of...I think. The x-wav name is only good enough for the e-mail
client to give it the "safe to pass" status ~ it would be the .exe actually
being passed in any event. They seem to have mistakenly allowed for the
possibilty of "lying" to the e-mail client's content-type restrictions. The
client relied solely on the "Content-Type" field for the content's type
rather than on the actual content (or even filename).

> surely they must all have been patched by now

Surely. (but what's next?)

> If not, anyone know which ones handle this correctly (i.e. dont just use
> the shell to autoload the media player...???)

If the "Content-Type" and the actual filename do not match (like
in your example [audio/x-wav != .exe] ) ~ then it is most likely
something you don't want to play *or* execute anyway. As for
any wanted content, you should be reasonably safe allowing any
audio or video data to be fed to the appropriate (sane) player.

If you *really* want to be safer, opt for text only mail and news.