From jhardin@wolfenet.com Mon Aug 3 17:17:25 1998 X-Delivered: at request of bin on uncle Received: from wolfenet.com (root@frapp.wolfe.net [207.178.61.5]) by uncle.ssc.com (8.8.5/8.8.5) with ESMTP id RAA20843 for ; Mon, 3 Aug 1998 17:17:24 -0700 Received: from gypsy.rubyriver.com (root@sea-e24.wolfenet.com [209.63.211.24]) by wolfenet.com (8.8.8/8.8.8) with ESMTP id RAA22512 for ; Mon, 3 Aug 1998 17:17:19 -0700 (PDT) Received: from localhost (jhardin@gypsy.wolfenet.com [127.0.0.1]) by gypsy.rubyriver.com (8.8.8/8.8.8) with SMTP id RAA30779 for ; Mon, 3 Aug 1998 17:16:47 -0700 Date: Mon, 3 Aug 1998 17:16:45 -0700 (PDT) From: "John D. Hardin" X-Sender: jhardin@gypsy.rubyriver.com To: gazette@ssc.com Subject: ANNOUNCE: Procmail Filters Kit blocks MIME buffer-overflow exploit messages Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: RO (For publication as you see fit) Linux and other *nix admins out there *worldwide* who process email for anyone using a Windows-based email client should read through this - ISPs in particular. If your email environment has no Windows desktops, you don't need to worry (well, at least not about the Outlook Worm... :) Perhaps MS should rename their email client to "Lookout!!!" >:) [1] ----------------------------------------------------------------------- A server-side fix for the email security hole in Outlook, Outlook Express, Netscape Mail (and who knows what other Windows-based email clients) *does* exist. It is based upon the Procmail email filtering program (which is installed as the default delivery agent in Redhat Linux). Any Linux or other *nix system administrator providing email services for Windows users should consider installing this set of security filters. This email filtering does nothing to fix the bug itself. Instead, it prevents users from receiving messages containing an exploit. Corporations and ISPs can install this software on their email servers and sanitize email as it is received, before it is even transferred to the end-user's system to be read. This will give the client vendors time to develop, test and publish patches, and administrators time to make sure all of their users (or clients in the case of an ISP) are notified and have their email clients patched. The filters package sanitizes the following possible remote exploits and undesirable behavior: - MIME attachment filenames longer than 100 characters are truncated to 64 characters. This is short enough to avoid triggering the security hole in the email client programs, yet should be long enough for real-life filenames. - Excessively long "Content-Type:" MIME headers are truncated, preventing buffer-overflow crashes or exploits in some email clients. - Executable attachments have their filenames mangled so that they cannot be executed merely by double-clicking on them; instead they must be saved and renamed manually. I have had reports of executable attachments (typically HTML files) being automatically run without user intervention in some mail clients. - Active HTML tags in the email body (OBJECT, APPLET, SCRIPT, etc.) are mangled to prevent their automatic execution. This prevents things like an email message that, whenever you try to read it, shuts down your email client, automatically opens a porn site in a browser window, or freezes or crashes your system. The Procmail email sanitizing ruleset by itself is available at ftp://ftp.rubyriver.com/pub/jhardin/antispam/html-trap.procmail I have also uploaded it to sunsite.unc.edu - it should be available there shortly. You can also visit my Procmail Filters Kit web page at http://www.wolfenet.com/~jhardin/procmail-kit.html for more details, installation instructions and the full modular anti-spam filters kit. For media hype, visit http://www.sjmercury.com/business/tech/docs/secure080298.htm [1] I know: old joke. Sorry. -- John Hardin KA7OHZ jhardin@wolfenet.com pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5 PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76 ----------------------------------------------------------------------- Your mouse has moved. Windows NT must be restarted for the change to take effect. Reboot now? [ OK ] ----------------------------------------------------------------------- 84 days until Daylight Savings Time ends