Font Size Change

HOMEIT SecurityMeasures for Information Security VulnerabilitiesIPA/ISEC:Vulnerabilities:Security Alert for Becky! Internet Mail Vulnerability

PRINT PAGE

IT Security

IPA/ISEC:Vulnerabilities:Security Alert for Becky! Internet Mail Vulnerability

February 12, 2009
>> JAPANESE

The Information-technology Promotion Agency (IPA, Chairman Koji Nishigaki) announced a security alert on February 12, 2009 concerning a vulnerability for Becky! Internet Mail.
In an e-mail message that has a tampered request that asks a receipt confirmation to be sent upon the viewing of the message, this vulnerability causes arbitrary code to be executed upon the permission to reply to the request.
If exploited, the computer may become under the control of an attacker with malicious intent. Involuntary behavior may occur such as the execution of unintended programs, file deletions, and the installation of malicious tools such as viruses and bots.
To fix this vulnerability, update to the fixed version supplied by the vendor.

1.Overview

Becky! Internet Mail, provided by Rimarts, Inc., is a software product used to send and receive e-mail messages. Becky! Internet Mail offers a feature that allows the recipient to reply to a request when a sender requires a confirmation from the recipient upon the viewing of the message.

However, a buffer overflow vulnerability exists within the mail receipt confirmation function in Becky! Internet Mail. When this vulnerability is exploited, there is a possibility that arbitrary code is executed on the computer on which Becky! Internet Mail is installed.

For detailed information, refer to the following URL:
http://www.rimarts.co.jp/index-j.html (in Japanese)

For the latest information, refer to the following URL:
http://jvndb.jvn.jp/en/contents/2009/JVNDB-2009-000011.html

The IPA first received a report concerning this vulnerability through the creditee below on January 5, 2009, and the JPCERT Coordination Center (JPCERT/CC), in line with the Information Security Early Warning Partnership, made adjustments to clarify the matter with the vendor and made the announcement public on February 12, 2009.
Credit: Yuji Ukai, Fourteenforty Research Institute, Inc.

2.Impact

In the event permission is granted by the recipient to send a receipt confirmation in reply to the message with the tampered request, there is a possibility that involuntary behavior may occur on the computer – such as the execution of unintended programs, deletion of files, and the installation of malicious tools such as viruses and bots.

Security Alert for Becky! Internet Mail Vulnerability

3.Solution

To fix this vulnerability, update to the fixed version supplied by the vendor.

4.CVSS Severity

(1)Evaluation Result

Severity Rating
(CVSS base score)
□ Low
(0.0~3.9)
■ Medium
(4.0~6.9)
□ High
(7.0~10.0)
CVSS base score   6.8  

(2) Base Score Metrics

AV:Access Vector □ Local □ Adjacent
 Network
■ Network
AC:Access Complexity □ High ■ Medium □ Low
Au:Authentication □ Multiple □ Single ■ None
C:Confidentiality Impact □ None ■ Partial □ Complete
I:Integrity Impact □ None ■ Partial □ Complete
A:Availability Impact □ None ■ Partial □ Complete

■:Selected Values

5.CWE Type

Contact

IT Security Center,
Information-technology Promotion Agency, Japan (ISEC/IPA)
E-mail: