London, UK, 11 July 2001 - GFI, leading developer of email content checking & anti-virus software, warns that not all innocent-looking email attachments are actually harmless. Thanks to a dangerous new exploit, email attachments containing scripts (for example, vbs) can be disguised as text (.txt) files by using the CLSID of the extension instead of the actual file extension. Mail essentials, GFI's email content checking and anti-virus solution, detects files which have a CLSID extensions, and quarantines script files, even if they are disguised as .txt files.

Detects hidden attachment extensions
Through its file-checking module, Mail essentials for Exchange/SMTP automatically quarantines all mails containing attachments with CLSID extensions. It does this by matching all attachment extensions against a CLSID format pattern - {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} - where x is any alphanumeric character.

Windows hides CLSID extensions, so a malicious user can disguise a CLSID extension as any file type, such as a seemingly harmless text file. This is because CLSIDs are used to associate files with Windows applications, and in the same way an extension can be associated instead (e.g., a .txt file). This means one can create a file called 'testdoc.txt.{00020906-0000-0000-C000-000000000046}' which will be opened by MS Word. The user who receives such a file by email is likely to think it is a simple .txt file. An executable could similarly be disguised as a .jpg or .gif file, for instance. This is because CLSIDs exist for VBS, HTA and other dangerous applications.

There is no practical reason for someone to send a file with such an extension. So if such an attachment is sent by email, it will most probably have been done deliberately and with malicious intent, posing a great security risk.

As no patches have yet been issued against this exploit, the only way to protect the corporate network against such a threat is to have adequate protection at email server level. By using Mail essentials for Exchange/SMTP, organizations are protected from malicious CSLID files because the product detects and blocks them before they can reach the user, who could innocently trigger a virus by double-clicking on such a file.

For more information about this security hazard, please read the security advisory hosted at this link: http://www.guninski.com/clsidext.html.

About Mail essentials
Mail essentials is the market-leading email content checking solution with more than 10,000 servers sold since its launch. It removes all types of email-borne threats before they can affect an organization's email users. Spam, viruses, dangerous attachments and offensive content can be removed before they reach the corporate mail server. More information can be found at http://www.gfi.com/me/index.html. Pricing starts at US$350 for 10 users.