Re: Vulnerabilities in Norton Antivirus for Exchange

[chris-timmons () HOME COM (Chris Timmons)]

This sounds like it is linked to the same problem that I mentioned in
NTBugtraq and to Microsoft for the last little while. I bet you dollars to
donuts it is the Explorer shell crashing and everything in the same thread.
(MSRC 175)

> 2.  Buffer Overrun in the NavExchange unzip engine

> Because an e-mail message could contain an attachment which is a .zip
file,>
> and members of the .zip archive might contain viruses, NavExchange includes
> a component for unzipping files.  This component contains a buffer overrun
> when the .zip attachment contains long file names.

> On 5/15/00, a message was posted to Bugtraq publishing a vulnerability in
> Eudora concerning .zip attachments with long file names.  An attachment was
> included to illustrate the problem.  This attachment caused a NavExchange
> failure, indicating that NavExchange suffers from the same problem.

> The message in question has Message-ID
> <002801bfbe6c$eccd5bd0$0100a8c0@ultor> from Ultor <Ultor () HERT ORG>,
subject:

> Eudora Pro & Outlook Overflow - too long filenames again
mpacts fall into three grades of severity:

> A) Entry Mechanism for viruses

> A virus "armored" inside of a .zip attachment with long file names is
> virtually guaranteed to be able to slip through NavExchange and reach the
> recipient.  In this case the system administrator will have an Event Log
> message noting the failure, but may not realize the implications.  Many NT
> systems have no method of explicitly notifying the system administrator
when
> Event Log messages of a particular kind occur, and indeed the whole Event
> Log mechanism typically requires dilligence on the part of the system
> administrator to scan these logs manually.  Since such an armored e-mail
> message could arrive overnight or on a weekend, there is more than
sufficent
> time for the message to trigger an infection before the Event Log message
is
> noticed.