Security firms question Clearswift upgrade

Clearswift has updated its popular Mailsweeper e-mail-filtering product, tightening up handling of particular compressed file...

Clearswift has updated its popular Mailsweeper e-mail-filtering product, tightening up handling of particular compressed file formats that could be used to slip malicious code into a business network.

But while Clearswift was careful to characterise the change as a routine update, security researchers have accused the company of fixing a security hole and hoping no one would notice.

Clearswift's hotfix for Mailsweeper 4.3.15 is available directly from the company.

Security has become a sensitive issue in the enterprise, with corporate networks battered by damaging virus outbreaks, and some companies have been criticised for attempting to maintain a reputation for good security by keeping their own vulnerabilities out of the spotlight.

In May, for example, security researchers warned of two serious bugs in Apple Computer's Mac OS X operating system, and were dismayed when Apple went out of its way to downplay the seriousness of the problem.

Clearswift said this week that its Mailsweeper update allows the tool to identify several relatively new compressed file formats that had been left out of the earlier product. But the company said these formats did not previously pose a problem.

"The file types highlighted would come through as unknown and would be put into quarantine, so there is no vulnerability," said Clearswift product director Andy Morris. In any case, the file types are rarely encountered in the wild, he added.

However, Martin O'Neal of UK-based security firm Corsaire said that versions of Mailsweeper prior to 4.3.15 - that is, prior to Clearswift's update last week - are vulnerable to attacks by several types of compressed files because the product does not detect the presence of the files.

In some cases, Mailsweeper also does not identify the name of file attachments when they are encoded, O'Neal said.

In Corsaire's tests, Mailsweeper did not block potentially malicious executable files encoded in some compression formats, despite Clearswift claiming compatibility with those formats.

"By virtue of the encoding formats not being detected, the container and the contents are passed through the system without being analysed," O'Neal said.

Newer formats such as 7ZIP and ACE were not detected, while the TAR format, listed as compatible with Mailsweeper, produced an error in the product, O'Neal said. He said some formats, such as RAR and ZIP, that were listed as being compatible, were version-dependent - the product didn't support newer versions of the formats.

"The fact that a file format isn't very common is hardly an excuse when the product lists support for those file types on the product information page," said Thomas Kristensen, chief technical officer of security firm Secunia.

In its advisory, Secunia ranked the issue "moderately critical".

 "After months of requesting a status update on these issues [without any response], the patches for these vulnerabilities have been released without any discussion or co-ordination with ourselves, and as is becoming the norm, completely unattributed," said O'Neal.

"We are not as widely deployed as Microsoft, so we don't have to be up-front," Clearswift's Morris said.

Matthew Broersma writes for

Read more on IT risk management