<img src="http://www.knightofavl.com/images/ChrissirhC.jpg";>
-----Original Message-----
From: "Randall M" <randallm@fidmail.com>
To: "'Micheal Espinola Jr'" <michealespinola@gmail.com>,"'Full Disclosure'"
<full-disclosure@lists.grok.org.uk>
Date: Tue, 26 Apr 2005 18:39:51 -0500
Subject: RE: [Full-disclosure] Re: email attack vector just got wider
Just my 2cents worth. About the only defense is using programs such as
MailSecurity to block and alert when anything is encrypted or password
protected.
thank you
Randall M
"If we ever forget that we're one nation under God, then we will be a nation
gone under."
- Ronald Reagan
_________________________________
_____
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Micheal
Espinola Jr
Sent: Tuesday, April 26, 2005 11:56 AM
To: Full Disclosure
Subject: [Full-disclosure] Re: email attack vector just got wider
an update:
My latest finding is that Adobe PDF's with embedded attachments can be
bundled and distributed as a Secure Electronic Envelope (eEnvelope).
eEnvelopes are designed to protect documents in transit with the use of
encryption.
Password protected .ZIP's are typically addressed at the SMTP gateway by AV
software with the option to strip or reject compressed file attachments that
are not readily scan-able (due to the password protection, etc).
Although Adobe recommends enabling scanning all file types in order to scan
a PDF (and ass/u/me'ing its embedded contents as well), an AV scanner is not
currently going to be able to scan this encrypted content until the content
has been rendered/unencrypted at the desktop.
While many AV vendors have factored certain compressed archive standards
into their products, I have seen no indication that this is being addressed
for this relatively new and already widely deployed product.
Call me a worry-wort, but I foresee this is the next "in" for malware
distribution.
On 4/25/05, Micheal Espinola Jr <michealespinola@gmail.com> wrote:
Perhaps not "just". My apologies for those that are aware of this, but it
seems Adobe 6 also had this capability - although many people have been
unaware of this. I recently upgrade from 5 to 7, so I missed this potential
issue from the get-go.
Someone pointed out to me that Symantec does have a bulletin stating that by
setting your AV to "scan all files" you can detect a virus inside a file
embedded into a PDF.
Unfortunately, this does not address the blocking of certain attachments
outright.
On 4/25/05, Micheal Espinola Jr <michealespinola@gmail.com
<mailto:michealespinola@gmail.com> > wrote:
It seems most people I know haven't noticed that the new version of Adobe
Acrobat (7) now allows for embedded/attached documents.
Since PDF's have generally been considered a safe document format and are
typically not blocked by content/attachment scanners, this now opens an
email-based attack vector that anti-virus providers [to the best of my
knowledge] are not currently addressing.
Many thanks to Adobe for creating another issue for us to deal with, and
especially for not having the forethought to coordinate with anti-virus
vendors to prepare for assuredly future exploitation of the technology.
--
ME2
my home: <http://www.santeriasys.net/>
my photos: < <http://mespinola.blogspot.com/>
http://mespinola.blogspot.com/>
--
ME2
my home: < <http://www.santeriasys.net/> http://www.santeriasys.net/>
my photos: < <http://mespinola.blogspot.com/>
http://mespinola.blogspot.com/>
--
ME2
my home: <http://www.santeriasys.net/>
my photos: <http://mespinola.blogspot.com/>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
![http://www.knightofavl.com/images/ChrissirhC.jpg"](http://www.knightofavl.com/images/ChrissirhC.jpg"){kind=link}