Microsoft's security problems didn't improve much Tuesday, when it followed last week's out-of-cycle fix of a major bug with two more "Critical" vulnerabilities, including one that allows attackers to hack into any Exchange server or Outlook owner's PC just by sending a malformed e-mail message.
The most dangerous of the two new vulnerabilities is the one spelled out in MS06-003, argued Mike Murray, director of research at vulnerability management vendor nCircle.
"This one isn't an MSBlast-style bug, but it's severe enough that if someone is clever, they'll come up with a quickly-propagating worm that will do some major damage," said Murray.
The problem, he added, is that it's a "dual opportunity vulnerability," since it impacts both Outlook, Microsoft's main e-mail client, and the Exchange mail server software.
"This one's going to be really interesting to watch," said Murray, "because it has two vectors, Exchange as well as Outlook. An attacker could e-mail one message to 100 people and compromise 15 servers and 100 people all at the same time."
Outlook and Exchange are vulnerable because of the way they decode the Transport Neutral Encapsulation Format (TNEF) MIME attachment. TNEF is used by Exchange and Outlook when sending and processing messages formatted as Rich Text Format (RTF), one of the formatting choices available to Outlook users (the others are Plain Text and HTML).
An attacker could gain full control of a Windows PC by sending a specially-formatted message to an Exchange Server and/or Outlook 2000, 2002, or 2003 user; unlike other attacks, ones based on this vulnerability wouldn't have to dupe users into opening e-mail attachments. Simply receiving such a message through an Exchange server is enough for a successful attack.
"If an attacker figures out how to craft two different payloads, one that affects the servers, the other that hits Outlook clients, you're going to see a really different worm, one with a unique propagation," warned Murray.
Microsoft's work-around for those who couldn't immediately apply the patch is to strip out all Rich Text-formatted messages at the gateway. But that, said Murray, might be impossible for enterprises. "I still get about 10 percent of my e-mail from people using Rich Text format. If a company starts stripping out 10 percent of its mail, it's going to have some serious e-mail issues."
The second bulletin of Tuesday, MS06-002, outlines a vulnerability in how Windows processes embedded Web fonts. An attacker could use malformed fonts in either a site or an HTML e-mail message to hack into a PC, said Microsoft's bulletin, which warned that "an attacker who successfully exploited this vulnerability could take complete control of an affected system."