The vulnerabilities in the MIME extension to the ubiquitous Simple Mail Transport Protocol (SMTP) were uncovered by experts from information security firm Corsaire, which warned of 190 discrete attack vectors.
Due to the scale and seriousness of this issue - and the requirement for coordination of vendors with compromised products - Corsaire passed its findings to the UK National Infrastructure Co-ordination Centre (NISCC) team, which released full details to the public on Monday September 13.
The MIME vulnerabilities were discovered during a recent Corsaire project to assess the suitability of the email systems used by a large insurance company. The scope of the project was to identify any weaknesses in the organisation's controls for limiting the types of data sent via email and identifying malicious content, such as viruses.
NISCC's Vulnerability Advisory 380375/MIME notes there are several types of software products that are potentially affected by the vulnerabilities. These include web browsers, anti-virus products, mail content checkers and web content checkers that need to be able to parse MIME.
The flaw occurs if a content checker parses a MIME message incorrectly. If content is allowed to pass through the checker based on an incorrect assessment of its MIME type the content checker's security can be totally bypassed, Corsaire's testing found.
"If this happened or a content checker was not used, the receiving client could crash or execute arbitrary code if it also parsed the MIME incorrectly," the NISCC advisory stated.
The MIME flaws came to light when the Corsaire tools were applied to a variety of mail gateway products. The end result was the discovery of 14 fundamental MIME implementation issues, with 190 discrete attack vectors, Corsaire warned.
"In specific terms, these were used to identify over 1000 individual vulnerabilities in only ten common MIME gateway products. At the last count Corsaire was aware of around 90 separate vendors producing MIME products that will also likely be affected," Corsaire said in a prepared statement.