From: Chris Timmons [chris-timmons@HOME.COM] Sent: Thursday, June 15, 2000 10:39 PM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: Vulnerabilities in Norton Antivirus for Exchange This sounds like it is linked to the same problem that I mentioned in NTBugtraq and to Microsoft for the last little while. I bet you dollars to donuts it is the Explorer shell crashing and everything in the same thread. (MSRC 175) >2. Buffer Overrun in the NavExchange unzip engine >Because an e-mail message could contain an attachment which is a .zip file,> >and members of the .zip archive might contain viruses, NavExchange includes >a component for unzipping files. This component contains a buffer overrun >when the .zip attachment contains long file names. >On 5/15/00, a message was posted to Bugtraq publishing a vulnerability in >Eudora concerning .zip attachments with long file names. An attachment was >included to illustrate the problem. This attachment caused a NavExchange >failure, indicating that NavExchange suffers from the same problem. >The message in question has Message-ID ><002801bfbe6c$eccd5bd0$0100a8c0@ultor> from Ultor , subject: >Eudora Pro & Outlook Overflow - too long filenames again mpacts fall into three grades of severity: >A) Entry Mechanism for viruses >A virus "armored" inside of a .zip attachment with long file names is >virtually guaranteed to be able to slip through NavExchange and reach the >recipient. In this case the system administrator will have an Event Log >message noting the failure, but may not realize the implications. Many NT >systems have no method of explicitly notifying the system administrator when >Event Log messages of a particular kind occur, and indeed the whole Event >Log mechanism typically requires dilligence on the part of the system >administrator to scan these logs manually. Since such an armored e-mail >message could arrive overnight or on a weekend, there is more than sufficent >time for the message to trigger an infection before the Event Log message is >noticed.