GFI Updates Its Email Vulnerability Testing

GFI, makers of Mail essentials for Exchange/SMTP, has updated its email vulnerability testing to include tests for two known vulnerabilities in Outlook XP that Outlook's built-in security features don't completely protect. The two new tests look for vulnerabilities in file attachments introduced by files that contain embedded Class IDs and HTML application extensions, both of which can cause program execution on a user's system under certain conditions.

According to GFI, an attacker can disguise Class ID extensions so that an email attachment doesn't show its true file extension when the user saves the file and views it with Windows Explorer. As a result, a user might think the file is harmless and open it. Similarly, a malicious file attachment with a malformed .hta extension can slip through Outlook XP's standard security controls if a user inadvertently decides to open the file.

"Although the default protection offered by Outlook XP is valuable, it is not enough and should be complemented by a server-based email content checking gateway such as Mail essentials for Exchange/SMTP to block any emails containing malicious code and dubious or harmful attachments," said Sandro Gauci, security engineer at GFI.

GFI launched a Web-based email-security testing site in November 2001 and has updated the site to include tests for Class ID and HTML application vulnerabilities. Gauci said, "Our Email Security Testing Zoneis proving a vital tool for security administrators. As part of our plan to keep this zone as up-to-date as possible, we are now offering tests for those who use Outlook XP, giving them the opportunity to test whether they have watertight protection against the latest forms of email threat."

Mail essentials for Exchange/SMTP guards against viruses, worms, Trojan horses, dangerous attachments, spam, and offensive content, and analyses email for various other security risks, such as embedded scripts, macros, and disguised attachments. Pricing for the product starts at $350 (US).

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.