[ISN] Microsoft Plugs 'Critical' E-Mail Server Holes

From: InfoSec News (isn@private)
Date: Tue Jan 10 2006 - 22:49:37 PST


By Ryan Naraine 
January 10, 2006 

Microsoft Corp. on Tuesday released two security bulletins to fix
"critical" flaws in several widely deployed products, including one
that presents a remote unauthenticated attack vector that could leave
corporate e-mail servers open to a destructive network worm attack.

A company spokesperson flagged MS06-003 as the most serious issue,
warning that a bug in the way TNEF (Transport Neutral Encapsulation
Format) is decoded can allow malicious hackers to inject harmful code
automatically without user interaction.

Businesses running Microsoft Exchange Server 5.0, Microsoft Exchange
Server 5.5 and Microsoft Exchange 2000 are at the highest risk of a
network attack, according to Stephen Toulouse, program manager in the
MSRC (Microsoft Security Response Center).

Microsoft Office 2000, Microsoft Office XP, Microsoft Outlook 2002 and
Microsoft Office 2003 are also at immediate risk, although a
successful attack requires a minimum amount of user interaction.

"[An attacker] can run code on the server when the server is
processing an e-mail message," Toulouse said in an interview, noting
that the code would be executed in the background without any user
interaction. "If you're running Exchange Server 5.0, Exchange Server
5.5 or Exchange 2000 Server, you want to pay special attention to this

Businesses running Microsoft Exchange Server 2003 are not affected.

The TNEF format, which is proprietary, is used by the Microsoft
Exchange Server and Outlook e-mail clients to parse RTF (Rich Text
Format) messages. When Microsoft Exchange thinks that it is sending a
message to another Microsoft e-mail client, it extracts all the
formatting information and encodes it in a special TNEF block.

It then sends the message in two parts—the text message with the
formatting removed and the formatting instructions in the TNEF block.  
On the receiving side, a Microsoft e-mail client processes the TNEF
block and reformats the message.

In an attack scenario, Toulouse said, a malicious hacker could create
a specially crafted TNEF message to trigger an exploit when the server
is decoding the e-mail message.

The second bulletin, MS06-002, also covers a remote code execution
vulnerability in the way Windows handles malformed embedded Web fonts.

This flaw could be exploited by attackers using specially constructed
Web fonts placed on Web sites or in e-mail messages. Toulouse
acknowledged that the vulnerability presented a major code execution
risk but said the attack scenario requires that the victim be lured
into viewing a rigged Web site or a specially crafted e-mail.

"These are both high-priority updates that were privately reported.  
We're not aware of any exploits or attacks but we want to ensure
people understand these risks and get these updates deployed on their
systems," Toulouse said.

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Tue Jan 10 2006 - 23:03:09 PST