Clearswift has updated its popular Mailsweeper e-mail-filtering product,
tightening up handling of particular compressed file formats that could be
used to slip malicious code into a business network. But while Clearswift
was careful to characterise the change as a routine update, security
researchers accused the company of fixing a security hole and hoping no one
would notice.

Clearswift's hotfix for Mailsweeper 4.3.15 is available direct href='http://www.clearswift.com/' target='_blank'>from the company.

Security has become a sensitive issue in the enterprise, with corporate
networks battered by ever-more-damaging virus outbreaks, and some companies
have been criticised for attempting to maintain a reputation for good
security by keeping their own vulnerabilities out of the spotlight. In May,
for example, security researchers href='http://www.techworld.com/security/news/index.cfm?NewsID=1574'>warned a> of two serious bugs in Apple Computer's Mac OS X operating system, and
were dismayed when Apple href='http://www.techworld.com/security/news/index.cfm?NewsID=1611'>went out
of its way to downplay the seriousness of the problem.

Clearswift said this week that its Mailsweeper update allows the tool to
identify several relatively new compressed file formats that had been left
out of the earlier product. But the company said these formats didn't
previously pose a problem. "The file types highlighted would come through as
unknown and would be put into quarantine, so there is no vulnerability,"
said Clearswift product director Andy Morris. Morris added that, in any
case, the file types are rarely encountered in the wild.

Martin O'Neal of UK-based security firm Corsaire painted a different
picture. Versions of Mailsweeper prior to 4.3.15 - that is, prior to
Clearswift's update last week - are vulnerable to attacks by several types
of compressed files because the product does not detect the presence of the
files. In some cases Mailsweeper also does not identify the name of file
attachments when they are encoded, O'Neal said in href='http://www.corsaire.com/advisories/c030807-001.txt' target='_blank'>an
advisory.

In Corsaire's tests, Mailsweeper didn't block potentially malicious
executable files encoded in some compression formats, despite Clearswift
claiming compatibility with those formats. "By virtue of the encoding
formats not being detected, the container and the contents are passed
through the system without being analysed," O'Neal said in the advisory.

Newer formats such as 7ZIP and ACE were not detected, while the TAR format,
listed as compatible with Mailsweeper, produced an error in the product,
O'Neal said. He said some formats, such as RAR and ZIP, that were listed as
being compatible, were version-dependent - the product didn't support newer
versions of the formats.

Another security firm agreed that the unsupported file types appeared to
pose a threat. "The fact that a file format isn't very common is hardly an
excuse when the product lists support for those file types on the product
information page," said Thomas Kristensen, chief technical officer of
Secunia. "Also, some of the formats are supported by WinZip, allowing most
users to open the files." In its own href='http://secunia.com/advisories/12301/' target='_blank'>advisory,
Secunia ranked the issue "moderately critical".

O'Neal also criticised Clearswift for its unresponsiveness. "After months of
requesting a status update on these issues (without any response), the
patches for these vulnerabilities have been released without any discussion
or coordination with ourselves, and as is becoming the norm, completely
unattributed," he wrote in the advisory.

Clearswift's Morris said the company was aware of Morris' research, but had
already planned the update, so felt no need for attribution. The company has
a policy of working with security researchers and crediting them, he said,
but tends not to "stand up and sing and dance" about security problems. "We
are not as widely deployed as Microsoft, so we don't have to be up-front,"
Morris said.