Government security agency warns of Net infrastructure flaw

The National Infrastructure Security Co-ordination Centre, which is responsible for protecting the UK's electronic...

The National Infrastructure Security Co-ordination Centre, which is responsible for protecting the UK's electronic infrastructure, has warned of a wide range of flaws affecting products that rely on one of the internet's basic protocols.

Software such as e-mail clients, web browsers, anti-virus products, and mail and web content checkers could be at risk because of the way they implement MIME, a standard for encoding e-mail attachments and HTTP content, according to the Unified Incident Reporting and Alert Scheme (UNIRAS). 

The agency identified eight ambiguities in MIME which could allow dangerous content to slip past detection systems. Information security consultancy Corsaire, which provided the research, did not specify which products were affected, but both organisations said vulnerabilities were widespread.

"If a content checker were to parse a MIME message incorrectly and to allow the content to pass through the checker based on an incorrect assessment of its MIME type, the security of the content checker could be bypassed," UNIRAS said.

"If this happened or a content checker was not used, the receiving client could crash or execute arbitrary code if it also parsed the MIME incorrectly."

Corsaire identified the vulnerabilities between June and August 2003 and the centre been working with affected suppliers since then, many of whom have already silently released patches, Corsaire said.

The firm said that if companies have kept up to date with patches on their MIME-based products, they should be protected. However, the only way for them to be sure they are not affected is to contact their suppliers.

A handful of software suppliers provided statements to UNIRAS clarifying the status of their MIME-based products, with Apple, Fujitsu, Hewlett-Packard, IBM, MessageLabs and Sun Microsystems' Mozilla browser team all saying their products were not affected.

PLDaniels Software said versions of its ripMIME product prior to were affected by several of the issues, but the problems have now been fixed.

F-Secure said its workstation products are not vulnerable, but the F-Secure Internet Gatekeeper failed in four of the tests and would be fixed with release 6.41 this autumn.

The problems, detailed by UNIRAS, arose from anomalous parameter values in MIME headers and MIME encodings that do not parse correctly.

"This kind of deliberate corruption has already been used by a number of high-profile viruses and worms, such as Nimda, Netsky and Badtrans," Corsaire said.

Matthew Broersma writes for Techworld

Read more on IT risk management