Anti-virus company Sophos has had to issue a new patch to
correct flaws in the fix it released last week to protect users
against the MyDoom worm. Sophos admitted that the original patch to
its gateway software for enterprise users may not be able to detect
MyDoom and could crash, locking up the server.
It also warned users of third-party anti-virus gateways that its
Savi programming interface would also be affected by the flaw.
According to Phil Wood, product manager at Sophos, the problem was
caused because some e-mail servers were not handling e-mail encoded
in the Mime format correctly.
He said the server should stop any e-mail with errors in the Mime
encoding, but that in some instances invalid messages were getting
through. Such invalid Mime messages would cause the Sophos e-mail
gateway software to crash. Wood said it was impossible to
anticipate all types of malformed messages.
As well as crashing the Sophos gateway, the flaw may cause Sophos
to fail to detect MyDoom when it is embedded in failed e-mail
notifications sent from the qmail Unix mail server.
Independent security consultant Phil Cracknell said the problems
with Sophos might have arisen because the MyDoom worm caught virus
researchers by surprise. "Researchers cannot develop an antidote
fast enough," he said. Cracknell believed that researchers had to
rush out an anti-virus update before fully understanding the
virus.
Affected users are advised to download the operating
system-specific version of Sophos Anti-Virus.