20131106 - Microsoft has identified a “zero-day” vulnerability involving .TIFF files

Microsoft has identified a “zero-day” vulnerability involving .TIFF files. This means that neither Microsoft nor the antivirus companies have been able to develop tools to address this vulnerability. Because this is a zero-day vulnerability, the only way to protect yourself is to exercise extreme caution when opening .TIFF files, no matter how they reach you—whether via e-mail, web sites, or any other means.  ETRN advises all its users to be very careful with .TIFF files.  Anti-virus and firewall protection applications may not stop this threat. Do not open any files with a filename ending in .tiff.

There are a number of news articles discussing the specific details of the vulnerability. You can read them here: https://news.google.com/news?q=zero+day+microsoft

Here are some answers to questions you may have:

Q: Won't ETRN's Spam Filtering Service catch any viruses that are trying to get through?
A: No.  While the ETRN system uses a number of techniques will stop some zero-day attacks, the very definition of zero-day means that as of today, there are no signatures that let us detect any attachments containing this malware.  Your best defense is user awareness until Microsoft delivers a patch, and until signatures can be developed.

Q: Can I block .TIFF files from being delivered to my end users mailboxes?
A: ETRN has implemented a temporary change in the Attachment Type Filtering option in Mailguard to include .TIFF files and the image/tiff mime type.  If you have Attachment Type Filtering enabled, this will likely help to quarantine e-mails containing attachments with .TIFF files.  Please keep in mind that this may also cause e-mails with legitimate .TIFF files to be quarantined.  There is no guarantee that this will we stop all .TIFF files from reaching your users.

Q: When is Microsoft anticipated to deliver a patch?
A: Microsoft has stated that it will "take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update”.

We are continuing to work to find a full solution to this issue.  Once reliable signatures to detect this threat are in place, we will stop using our Attachment Type Filtering option to quarantine e-mails containing .TIFF files.


Updates:

  • 20131121 17:00 - We have determined that your virus scanning solution is now capable of reliably detecting files exploiting this vulnerability. As a result, our system is no longer quarantining e-mails containing .TIFF files.

We appreciate your patience during this work and welcome any feedback. Thank you for being a ETRN customer. Please contact us if you have any questions.

We Answer Your Questions: FAQ

Q: What is the maximum e-mail attachment size?

A: The ETRN.com e-mail servers do not limit the size of individual e-mail attachments. The ETRN.com e-mail servers do impose a 400 MB maximum total message size limit. Individual customers can choose a smaller message size limit. We can also customize the handling of "over-sized" e-mails. Please contact us to discuss your specific needs. A couple of important facts:

1. Attachments are typically encoded in what is called Base64[1]. As a result, the actual length of MIME-compliant Base64-encoded binary data is usually about 137% of the original file size.

2. E-mails often contain both plain text and HTML components. This also increases the overall size of the e-mail.