The Bat! Email Subject Header Buffer Overflow Vulnerability

[TCH-Thomas]

Secunia writes

 

Description:

Nemesis Security Audit Group has discovered a vulnerability in The Bat!, which potentially can be exploited by malicious people to compromise a user's system.

 

The vulnerability is caused due to a boundary error within the parsing of the email subject header. This can be exploited to cause a unicode stack-based buffer overflow via a specially-crafted email message with an overly long subject.

 

The vulnerability has been confirmed in version 3.60.07. Other versions may also be affected.

 

Solution:

Update to version 3.71.03.

http://www.ritlabs.com/en/products/thebat/download.php

[TCH-Bruce]

Man, when will they stop!

 

Thanks Thomas

[TCH-Rob]

Thanks Thomas

[Madmanmcp]

Nemesis Security Audit Group has discovered a vulnerability in The Bat!, which potentially can be exploited by malicious people to compromise a user's system.

 

Some Security group that has nothing better to do publishes a vulnerability it found in a program called The Bat!.

 

I'm curious, who even uses this program? I've never heard of it and seaches on Google only produce one link to its web site that relates to it. So why would Secunia worry about such a non-issue as this and apply a Critical rating to it.

 

There's no one using the program so hackers will not waste their time writing code to exploit it. Yes its a good idea to notify about an update but leave that to the company to inform its userbase. I don't believe its a big threat to the Internet at large.

[GroovyFish]

Well, some people use it

 

A very important person!

[Madmanmcp]

Oops, looks like I'm in trouble now

 

And I even replied to that string right behind Bills endorsement.

 

Still, the major browsers are what the hackers concentrate on so I think there is a very very slim chance that anything will ever be seen "in the wild" for it.

 

Thanks for the Info Groovyfish.

 

{waits for Bill}

[Deverill]

I'm curious, who even uses this program? I've never heard of it and seaches on Google only produce one link to its web site that relates to it.

 

Try the string "the bat" email which produces 1.9 million hits. Even narrowing it down from email about Batman by adding the string ritlabs (the creator) gives us 105K hits. You must have caught Google at a bad time or something.

 

Take this for what it's worth, consider the source, your mileage may vary, etc.

Over these past years our user-base has grown into the many thousands

which is sufficiently vague as to have only limited value.

 

I own the program and have been considering upgrading it even though I do everything on Gmail right now. It has some very nice features, especially (IMO) for multiple email accounts. The thing I like the most is that I can do a template so that if I am replying to email that was sent to my XYZ address, the reply can automatically have "Thank you for contacting XYZ" and the sig can be customized "Jim Sewell - XYZ Guru" and be something totally different when I'm replying to an email that came to another of my addresses. Cool stuff.

[Madmanmcp]

Oh I got thousands of hits Jim, only the first result was the Ritlabs site and the rest were for anything else relating to bats. I didn't bother seaching thourghly.

 

Over these past years our user-base has grown into the many thousands

 

That is what I would expect, I believe its a good program because of the things you and Bill say about it. But its a email program you have to pay for and with all the other free ones out there it will remain in the "many thousands" I'm afraid.

[Deverill]

As long as we continue to become "I want it all free... I deserve to have great programs and not pay for it" computing community you may be right. I use a lot of free programs, don't get me wrong, but if it's worth it then I'll pay for something I use. Too many others won't, sadly for the programmers who have less motivation to create excellence.