COMMAND

    Worldsecure/Mail

SYSTEMS AFFECTED

    Worldsecure/Mail 4.3

PROBLEM

    Andreas Kuechler found following.  Worldsecure uses anonymous  ftp
    to transfer  their virus  patterns automatically  from their  site
    download.worldtalk.com  to  the  Worldsecure  server.    Obviously
    Worldtalk does  __NOT__ check  any signatures  after the  file has
    been downloaded and integrates  them into the antivirus  engine of
    the WorldSecure/Mail server.  There are two scenarios:

    1) if   anyone   gets   access    to   the   pattern   files    on
       download.worldtalk.com  and  replaces  them  with  a   modified
       version:
       a) he  can  transport  any  file  named  *.dat  to  the   users
          worldsecure server (the server transports everything  called
          *.dat that  is embeded  inside the  dat-xxxx.zip residing on
          the ftp server to  a directory under Worldtalk  called after
          the pattern  revision. All  you have  to do  is to  find the
          actual revision  number of  mcafees dat-files,  add one  and
          place a new dat on the  ftp server. By doing this you  reach
          __ANY__ WS/Mail-server with enabled autoupdate feature!

       b) by  replacing scan.dat  with any  file which  is not a virus
          pattern the  virus engine  will be  unable to  scan for  any
          viruses any more...  By the way wherent there some  exploits
          against MS FTP Service 4.0 !?!

    2) if   anyone  gets   access  to   the  local   registry  of    a
       worldsecure/Mail server  he can  modify the  download site from
       where worldtalk retrieves its  updates.  He can  then acomplish
       the same  thing as  before. (only  on the  smaller scope of one
       server)

    The big problem is that the Worldsecure/Mail server uses any  file
    as virus  pattern and  actually scans  with this  modified file (I
    tried wincmd.exe  !!! renamed  as scan.dat)  without producing any
    warnings or log entries.   The administrator has only a  chance to
    smell the mess when he restarts the server because then the  virus
    engine will not initialize.

SOLUTION

    Worldtalk has been informed  about this scenarios and  admits that
    there is a  problem which will  be solved in  a future release  of
    Worldsecure/Mail.

    Blindly trusting an outside source to update virus
    pattern/definition/dat files  (or any  other app)  throughout your
    enterprise is foolish.   Corporations should have  a mechanism  to
    test  new  updates  before  they  are  released  to  the   general
    server/user population.   This is a  simple way to  minimise these
    types  of  security  risks.   Also,  you  won't  have to deal with
    thousands  of  users  calling  your  help  desk reporting their AV
    software didn't load  properly or is  detecting explorer.exe as  a
    trojan horse!