A test of the ‘Email Security Testing Zone’

GFI is a worldwide supplier of security and communication tools for NT/2000 administrators. GFI’s security product range consists of MailSecurity email content checking + anti-virus software and LANguard network security software.

Seven months ago, GFI announced the Email Security Testing Zone with the purpose of enabling organizations to check whether their computers and email systems are vulnerable to email viruses and attacks. Back then, GFI’s CEO Nick Galea praised this new service with the following words: “GFI’s Email Security Testing Zone now allows organizations to instantly discover if they are vulnerable, enabling them to take proactive steps to defend their email system”.

A few hours ago, we received the latest press release from GFI, entitled “GFI’s Email Security Testing Zone Launches 3 New Tests”. While adding it to the HNS web site, I browsed their ‘Email Zone’ and wrote a brief overview of some of the tests and security issues the tests are trying to exploit.

The test computer used for this overview is using Microsoft Windows ME, Internet Explorer 5.50.4134.0100 and Calypso 3.30.00 e-mail client. No patches were applied to the browser. These are the tests I tried:

+ VBS file vulnerability test

(GFI Information on the test: VBS files contain commands which, when executed, can do anything on the computer. This includes running malicious code such as viruses and worms. VBS, JS, EXE and many other file types which execute code must therefore be treated as dangerous and should not reach desktop computers, where users may be tricked into running the attachment containing an executable file.)

+ CLSID extension vulnerability test

(GFI Information on the test: Attachments which end with a Class ID (CLSID) file extension do not show the actual file extension saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are actually innocent files, such as JPG or WAV files. This method may also circumvent attachment checking in some email content filtering solutions.)

+ ActiveX vulnerability test

(GFI Information on the test: ActiveX within HTML content can circumvent security measures in certain circumstances. Vulnerabilities within Internet Explorer and Outlook allow such content to be executed.)

+ GFI’s Access exploit vulnerability test

(GFI Information on the test: This particular example allows VBA (Visual Basic for Applications) code to be automatically executed without any warnings, regardless of the security settings on the target machine. It can be very dangerous to open an email that makes use of this particular method since it runs on any computer that has Internet Explorer.)

Procedure goes like this. You visit http://www.gfi.com/emailsecuritytest where you can check which tests you would like to start on your computer. This is the full test list:

  • ActiveX vulnerability test (works only on IE5.x)
  • CLSID extension vulnerability test
  • CLSID extension vulnerability test (for Outlook 2002)
  • Eicar anti-virus software test
  • GFI’s Access exploit vulnerability test
  • Iframe remote vulnerability test
  • Malformed file extension vulnerability test (for Outlook 2002)
  • MIME header vulnerability test (Nimda testing)
  • Object Codebase vulnerability test
  • VBS attachment vulnerability test

Note: I didn’t take all the tests, as some of them are Outlook specific.

After checking the appropriate boxes, entering your contact information and hitting submit button, you can check your mailbox for an e-mail with information on the address for confirming that the test was “ordered” by you. After visiting that URL, all the test e-mails are sent to your address. Information provided below is detailed in the test e-mails.

Ok, so let’s start:

1) GFI’s Access exploit vulnerability test E-Mail

(I passed this one without a problem)

GFI’s Access exploit vulnerability test has just been performed on your computer. Opening this mail automatically activates the test.

* If you can see gfi-test.txt

If the text file gfi-test.txt appears on your desktop, then you are vulnerable to this exploit.

Embedded VBA code within an Access database file (.mdb) that in turn lies within an Outlook Express email file can circumvent security measures in certain circumstances. Vulnerabilities within Internet Explorer and Outlook allow such content to be executed automatically.

The text file demonstrates this: It has read vital information about your system, showing you that, in fact, it could have done anything it wanted on your system had it contained harmful code.

* If you cannot see gfi-test.txt

If you are cannot see the file, this means you have effective client-based email security. Note that, for your network to be secure, every machine on your network must have such client-based protection installed, including your servers. Server levelsecurity is recommended as additional protection.

2) CLSID extension vulnerability test E-Mail

(As the attached file didn’t open after clicking on it, I presume I passed this one also. As a double-check, I opened it with ACDSee and nothing happened)

Your mail server has just accepted and sent you an email containing an attachment with a hidden CLSID extension! This means it is relying on desktop level security to protect you. You should now try to run the attachment.

* If you can run this file

If you can run this file, then you are vulnerable to this type of attack. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files – such as JPG or WAV files – that do not need to be

blocked. This method can also circumvent attachment checking in some email content filtering solutions.

The enclosed attachment looks like a simple JPG file but is actually a CLSID file that contains code. If you open this file, it creates a text file on your desktop, gfi-test.txt, that has read vital information about your system.

* If you cannot run this file

If you are unable to run the file, this means you have effective client-based email security. Note that, for your network to be secure, every machine on your network must have such client-based protection installed,

including your servers. Server level security is

recommended as additional protection.

3) VBS attachment vulnerability test E-Mail

(As I passed this one also, for now I have 100% efficiency)

Your mail server has just accepted and sent you an email containing a .vbs attachment! This means it is relying on desktop level security to protect you. You should now try to run the attachment.

* If you can run this file

If you can run this file, then you are vulnerable to attacks by email viruses like the LoveLetter, and AnnaKournikova. VBS files contain commands which, when executed, can do virtually anything on the recipient’s PC. This includes running malicious code such as viruses and worms. As you can see, the enclosed attachment has read vital information about your system, showing you that, in fact, it could have done anything it wanted on your system had it contained harmful code.

* If you cannot run this file

If you are unable to run the file, this means you have effective client-based email security. Note that, for your network to be secure, every machine on your network must have such client-based protection installed, including your servers. Server level security is recommended as additional protection.

4) ActiveX vulnerability test E-Mail

(Ooops, it’s like 3 out of 4 as I flunked this one. Exploit created txt file on my Desktop and automatically started it)

The ActiveX component exploit test has just been performed on your computer. Opening this mail automatically activates the test.

* If you can see gfi-test.txt

If the text file gfi-test.txt appears on your desktop, then you are vulnerable to this exploit.

ActiveX within HTML content can circumvent security measures in certain circumstances. Vulnerabilities within Internet Explorer and Outlook allow such content to be executed. The text file demonstrates that it has read vital information about your system.

* If you cannot see gfi-test.txt

If you are cannot see the file, this means you have effective client-based email security. Note that, for your network to be secure, every machine on your network must have such client-based protection installed, including your servers. Server level security is recommended as additional protection.

GFI’s Email Security Testing Zone is a pretty nice concept and I hope the new tests will be added every now and then. As regarding Outlook and Outlook Express security problems, the question is why to use them when there are much better (at least more secure) e-mail clients around. If you really need to use them, Security Web sites and this ‘Email Security Testing Zone’ should be in your bookmarks.

References: