Sophos fixes anti-virus protection bypass

News

Sophos fixes anti-virus protection bypass

Sophos has admitted that version 3.78 of its anti-virus software can be bypassed by a virus-laden e-mail if it does not contain any Mime boundary definitions.

Mime, or Multipurpose Internet Mail Extensions, is the basic protocol used for sending graphic, audio and video on e-mail. But Sophos has found that delivery status notifications generated by qmail mail servers (the second-largest in number on the internet) that are infected with the MyDoom virus slip through the anti-virus software undetected.

Only qmail servers set up to include the original e-mail in the bounced e-mail will not include Mime boundary definitions and so slip through. But it still remains a significant security hole considering the number of qmail servers - around one million - and that the impact of many modern viruses and worms come from the e-mails automatically created by their appearance.

On top of that, a separate bug in the scanning engine means that the anti-virus software can be used to launch a denial-of-service attack on a PC if certain Mime headings are used. An "unexpectedly terminated Mime header" will send the application into an infinite loop, eating system resources in the process.

An unpatched version of the software will soon prove a liability rather than offering any sort of protection, as virus writers latch onto the idea, and the software itself can be used to bring down your computer.

An updated version of the software - 3.78d - which patches the holes, is available for download from http://www.sophos.com/support/news/#mime-378.

Kieren McCarthy writes for Techworld.com


Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy