MIME security, and security “specialists”

NISCC Vulnerability Advisory 380375 talks about vulnerabilities caused by ambiguous MIME messages — basically, a single e-mail body part may claim to be of two different types, or encoded according to two different mechanisms, at the same time. I…

NISCC Vulnerability Advisory 380375 talks about vulnerabilities caused by ambiguous MIME messages — basically, a single e-mail body part may claim to be of two different types, or encoded according to two different mechanisms, at the same time. Implementations then just pick one interpretation, and, of course, they differ in which one they pick. Thus, a virus scanning e-mail gateway may see a message that’s never displayed to the user, and the user may see one that was never inspected. Likewise, a message may be signed with PGP/MIME or S/MIME, but may still look quite differently to users relying on different implementations.Corsaire is trumpeting this as an example for their “specialist approach” (press release); in the context of digital signatures, however, you may also have read about it here (November 2001).(And that was just an obvious application of this January 1998 paper by Ptacek and Newsham to e-mail.)