Re: Multi-vendor AV gateway image inspection bypass vulnerability

[Nils Ketelsen <nils () steering-group net>]

On Wed, Jan 12, 2005 at 12:37:42PM -0800, Steven Rakick wrote:
> This would mean that if an image exploiting the
> recently announced Microsoft LoadImage API overflow
> were imbedded into HTML email there would be zero
> defense from the network layer as it would be
> completely invisible.

Yes. I am planning to test, what that means to all those content filtering
proxies. I have found one product that claims to be able to block "MIME
content in HTML", I think they are referring to RfC2397 with that. 

> Why am I not seeing more about this in the press? It
> seems pretty threatening to me...

Internet Explorer does not Implement RfC2397. That means it is interesting
for a far smaller audience. ;-)

Nils
-- 
Nils Ketelsen  // Mississauga, Canada
43° 35' 13"N, 79° 38' 23"W
mailto:`#!/bin/sh`@druecke.strg-alt.entf.org
http://druecke.strg-alt-entf.org/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html