Microsoft Corp. on Tuesday released two security bulletins to fix “critical” flaws in several widely deployed products, including one that presents a remote unauthenticated attack vector that could leave corporate e-mail servers open to a destructive network worm attack.
A company spokesperson flagged MS06-003 as the most serious issue, warning that a bug in the way TNEF (Transport Neutral Encapsulation Format) is decoded can allow malicious hackers to inject harmful code automatically without user interaction.
Businesses running Microsoft Exchange Server 5.0, Microsoft Exchange Server 5.5 and Microsoft Exchange 2000 are at the highest risk of a network attack, according to Stephen Toulouse, program manager in the MSRC (Microsoft Security Response Center).
Microsoft Office 2000, Microsoft Office XP, Microsoft Outlook 2002 and Microsoft Office 2003 are also at immediate risk, although a successful attack requires a minimum amount of user interaction.
“[An attacker] can run code on the server when the server is processing an e-mail message,” Toulouse said in an interview, noting that the code would be executed in the background without any user interaction. “If youre running Exchange Server 5.0, Exchange Server 5.5 or Exchange 2000 Server, you want to pay special attention to this update.”
Businesses running Microsoft Exchange Server 2003 are not affected.
The TNEF format, which is proprietary, is used by the Microsoft Exchange Server and Outlook e-mail clients to parse RTF (Rich Text Format) messages. When Microsoft Exchange thinks that it is sending a message to another Microsoft e-mail client, it extracts all the formatting information and encodes it in a special TNEF block.
It then sends the message in two parts—the text message with the formatting removed and the formatting instructions in the TNEF block. On the receiving side, a Microsoft e-mail client processes the TNEF block and reformats the message.
In an attack scenario, Toulouse said, a malicious hacker could create a specially crafted TNEF message to trigger an exploit when the server is decoding the e-mail message.
The second bulletin, MS06-002, also covers a remote code execution vulnerability in the way Windows handles malformed embedded Web fonts.
This flaw could be exploited by attackers using specially constructed Web fonts placed on Web sites or in e-mail messages. Toulouse acknowledged that the vulnerability presented a major code execution risk but said the attack scenario requires that the victim be lured into viewing a rigged Web site or a specially crafted e-mail.
“These are both high-priority updates that were privately reported. Were not aware of any exploits or attacks but we want to ensure people understand these risks and get these updates deployed on their systems,” Toulouse said.
