GFI released an update to its email exploit engine today which can detect any viruses that exploit a newly discovered Outlook 2002 vulnerability. The new Outlook vulnerability, MS04-009, was yesterday upgraded to “high risk” by Microsoft Corp, which issued a patch against it on Tuesday (more details at http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx). The vulnerability is related to the way mailto URLs are handled and could allow Internet Explorer to execute code on affected machines.
To exploit this vulnerability, attackers could simply create an HTML email that either lures the recipient into clicking a link in the message body or that contains a fake image that can automatically launch a link without requiring user intervention. The payload of such an attack could include running JavaScript under the My Computer (local) Security Zone. This means that the attacker could execute code on the local disk of unpatched machines and/or access user files.
New viruses based on this exploit can be caught by GFI’s gateway-level exploit engine
Users of GFI MailSecurity for Exchange/SMTP – GFI’s email content checking, exploit detection, threats analysis and antivirus solution – simply need to download the latest exploit engine updates to allow GFI MailSecurity to detect any new viruses that use this exploit to propagate and infect systems. Information on how to update the GFI MailSecurity exploits database and technical information about the exploit are available at http://www.gfi.com/news/en/ms04009exploit.htm.
The difference between a virus engine and an exploit engine
Antivirus software is designed to detect known malicious code. An email exploit engine takes a different approach: it analyses the code for exploits that could be malicious. Email exploit detection software analyzes emails for exploits - i.e., it scans for methods used to exploit the OS, email client or Internet Explorer - that can permit execution of code or a program on the user's system. It does not check whether the program is malicious or not. It simply assumes there is a security risk if an email is using an exploit in order to run a program or piece of code.
In this manner, an email exploit engine works like an intrusion detection system for email. The email exploit engine might cause more false positives, but it adds a new layer of security that is not available in a normal antivirus package, simply because it uses a totally different way of securing email.
An exploit engine needs to be updated less frequently than an antivirus engine because it looks for a method rather than a specific virus. Although keeping exploit and antivirus engines up-to-date involve very similar operations, the results are different. Once an exploit is identified and incorporated in GFI MailSecurity’s exploit engine, that engine can protect against any new virus that is based on a known exploit. That means the exploit engine will catch the virus even before the antivirus vendor is aware of its emergence, and certainly before the antivirus definition files have been updated to counter the attack. Further information is available at http://www.gfi.com/mailsecurity/wpexploitengine.htm.
About GFI MailSecurity for Exchange/SMTP
GFI MailSecurity for Exchange/SMTP is an email content checking, exploit detection, threats analysis and antivirus solution that removes all types of email-borne threats before they can affect an organization's email users. GFI MailSecurity's key features include multiple virus engines, to guarantee higher detection rate and faster response to new viruses; email content and attachment checking, to quarantine dangerous attachments and content; an exploit shield, to protect against present and future viruses based on exploits (e.g., Nimda, Bugbear); an HTML threats engine, to disable HTML scripts; a Trojan & Executable Scanner, to detect malicious executables; and more. Further information and a full evaluation version are available at http://www.gfi.com/mailsecurity/.
About GFI
GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. With award-winning technology, an aggressive pricing strategy and a strong focus on small-to-medium sized businesses, GFI is able to satisfy the need for business continuity and productivity encountered by organizations on a global scale. GFI has offices in the US, Malta, UK, Hong Kong and Australia which support more than 200,000 installations worldwide. GFI is a channel-focused company with over 10,000 partners worldwide. GFI is a Microsoft Gold Certified Partner. More information about GFI can be found at http://www.gfi.com.