Clearswifthas updated its popular
Mailsweeper e-mail-filtering product, tightening up handling of
particular compressed file formats that could be used to slip
malicious code into a business network.
But while Clearswift was careful to characterise the change as a
routine update, security researchers have accused the company of
fixing a security hole and hoping no one would notice.
Clearswift's hotfix for Mailsweeper 4.3.15 is available directly
from the company.
Security has become a sensitive issue in the enterprise, with
corporate networks battered by damaging virus outbreaks, and some
companies have been criticised for attempting to maintain a
reputation for good security by keeping their own vulnerabilities
out of the spotlight.
In May, for example, security researchers warned of two serious
bugs in Apple Computer's Mac OS X operating system, and were
dismayed when Apple went out of its way to downplay the seriousness
of the problem.
Clearswift said this week that its Mailsweeper update allows the
tool to identify several relatively new compressed file formats
that had been left out of the earlier product. But the company said
these formats did not previously pose a problem.
"The file types highlighted would come through as unknown and
would be put into quarantine, so there is no vulnerability," said
Clearswift product director Andy Morris. In any case, the file
types are rarely encountered in the wild, he added.
However, Martin O'Neal of UK-based security firm Corsaire said
that versions of Mailsweeper prior to 4.3.15 - that is, prior to
Clearswift's update last week - are vulnerable to attacks by
several types of compressed files because the product does not
detect the presence of the files.
In some cases, Mailsweeper also does not identify the name of
file attachments when they are encoded, O'Neal said.
In Corsaire's tests, Mailsweeper did not block potentially
malicious executable files encoded in some compression formats,
despite Clearswift claiming compatibility with those formats.
"By virtue of the encoding formats not being detected, the
container and the contents are passed through the system without
being analysed," O'Neal said.
Newer formats such as 7ZIP and ACE were not detected, while the
TAR format, listed as compatible with Mailsweeper, produced an
error in the product, O'Neal said. He said some formats, such as
RAR and ZIP, that were listed as being compatible, were
version-dependent - the product didn't support newer versions of
the formats.
"The fact that a file format isn't very common is hardly an
excuse when the product lists support for those file types on the
product information page," said Thomas Kristensen, chief technical
officer of security firm Secunia.
In its advisory, Secunia ranked the issue "moderately
critical".
"After months of requesting a status update on these issues
[without any response], the patches for these vulnerabilities have
been released without any discussion or co-ordination with
ourselves, and as is becoming the norm, completely unattributed,"
said O'Neal.
"We are not as widely deployed as Microsoft, so we don't have to
be up-front," Clearswift's Morris said.
Matthew Broersma writes for Techworld.com