Seven months ago, GFI announced the Email Security Testing Zone with the purpose of enabling organizations to check whether their computers and email systems are vulnerable to email viruses and attacks. Back then, GFI's CEO Nick Galea praised this new service with the following words: "GFI's Email Security Testing Zone now allows organizations to instantly discover if they are vulnerable, enabling them to take proactive steps to defend their email system".
A few hours ago, we received the latest press release from GFI, entitled "GFI's Email Security Testing Zone Launches 3 New Tests". While adding it to the HNS web site, I browsed their 'Email Zone' and wrote a brief overview of some of the tests and security issues the tests are trying to exploit.
The test computer used for this overview is using Microsoft Windows ME, Internet Explorer 5.50.4134.0100 and Calypso 3.30.00 e-mail client. No patches were applied to the browser. These are the tests I tried:
+ VBS file vulnerability test
(GFI Information on the test: VBS files contain commands which, when executed, can do anything on the computer. This includes running malicious code such as viruses and worms. VBS, JS, EXE and many other file types which execute code must therefore be treated as dangerous and should not reach desktop computers, where users may be tricked into running the attachment containing an executable file.)
+ CLSID extension vulnerability test
(GFI Information on the test: Attachments which end with a Class ID (CLSID) file extension do not show the actual file extension saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are actually innocent files, such as JPG or WAV files. This method may also circumvent attachment checking in some email content filtering solutions.)
+ ActiveX vulnerability test
(GFI Information on the test: ActiveX within HTML content can circumvent security measures in certain circumstances. Vulnerabilities within Internet Explorer and Outlook allow such content to be executed.)
+ GFI's Access exploit vulnerability test
(GFI Information on the test: This particular example allows VBA (Visual Basic for Applications) code to be automatically executed without any warnings, regardless of the security settings on the target machine. It can be very dangerous to open an email that makes use of this particular method since it runs on any computer that has Internet Explorer.)
Procedure goes like this. You visit http://www.gfi.com/emailsecuritytest where you can check which tests you would like to start on your computer. This is the full test list:
- ActiveX vulnerability test (works only on IE5.x)
- CLSID extension vulnerability test
- CLSID extension vulnerability test (for Outlook 2002)
- Eicar anti-virus software test
- GFI's Access exploit vulnerability test
- Iframe remote vulnerability test
- Malformed file extension vulnerability test (for Outlook 2002)
- MIME header vulnerability test (Nimda testing)
- Object Codebase vulnerability test
- VBS attachment vulnerability test
After checking the appropriate boxes, entering your contact information and hitting submit button, you can check your mailbox for an e-mail with information on the address for confirming that the test was "ordered" by you. After visiting that URL, all the test e-mails are sent to your address. Information provided below is detailed in the test e-mails.
Ok, so let's start: