Microsoft Fixes Nasty Outlook, Exchange E-Mail Bug

Microsoft serves up two more "Critical" bug fixes, including one for a bug that allows attackers to hack into any Exchange server or Outlook owner's PC just by sending a malformed E-mail message.
Microsoft's security problems didn't improve much Tuesday, when it followed last week's out-of-cycle fix of a major bug with two more "Critical" vulnerabilities, including one that allows attackers to hack into any Exchange server or Outlook owner's PC just by sending a malformed e-mail message.

The most dangerous of the two new vulnerabilities is the one spelled out in MS06-003, argued Mike Murray, director of research at vulnerability management vendor nCircle.

"This one isn't an MSBlast-style bug, but it's severe enough that if someone is clever, they'll come up with a quickly-propagating worm that will do some major damage," said Murray.

The problem, he added, is that it's a "dual opportunity vulnerability," since it impacts both Outlook, Microsoft's main e-mail client, and the Exchange mail server software.

"This one's going to be really interesting to watch," said Murray, "because it has two vectors, Exchange as well as Outlook. An attacker could e-mail one message to 100 people and compromise 15 servers and 100 people all at the same time."

Outlook and Exchange are vulnerable because of the way they decode the Transport Neutral Encapsulation Format (TNEF) MIME attachment. TNEF is used by Exchange and Outlook when sending and processing messages formatted as Rich Text Format (RTF), one of the formatting choices available to Outlook users (the others are Plain Text and HTML).

An attacker could gain full control of a Windows PC by sending a specially-formatted message to an Exchange Server and/or Outlook 2000, 2002, or 2003 user; unlike other attacks, ones based on this vulnerability wouldn't have to dupe users into opening e-mail attachments. Simply receiving such a message through an Exchange server is enough for a successful attack.

"If an attacker figures out how to craft two different payloads, one that affects the servers, the other that hits Outlook clients, you're going to see a really different worm, one with a unique propagation," warned Murray.

Microsoft's work-around for those who couldn't immediately apply the patch is to strip out all Rich Text-formatted messages at the gateway. But that, said Murray, might be impossible for enterprises. "I still get about 10 percent of my e-mail from people using Rich Text format. If a company starts stripping out 10 percent of its mail, it's going to have some serious e-mail issues."

The second bulletin of Tuesday, MS06-002, outlines a vulnerability in how Windows processes embedded Web fonts. An attacker could use malformed fonts in either a site or an HTML e-mail message to hack into a PC, said Microsoft's bulletin, which warned that "an attacker who successfully exploited this vulnerability could take complete control of an affected system." "It's almost like another Internet Explorer bug, even though it's in a different component," said Murray. "You'll see this exploited by e-mail, by Web sites, the usual, just like the WMF bug last week."

The vulnerability affects Windows 98, Millennium, 2000, XP (including SP2), and Windows Server 2003 (including SP1). Windows Server 2003, however, is a bit more robust, and so the threat ranking is the slightly lower "Important" for that OS.

According to eEye Digital Security, which discovered the bug and reported it to Microsoft July 31, 2005, the flaw lies in Embedded Open Type fonts, and can cause a standard heap overflow. In its online advisory, eEye noted that attackers could trick users by changing the default file extension of these fonts.

"Although these fonts typically have .eot file extensions, it should be noted that any extension may be used in order to exploit this vulnerability," read the advisory.

Even Microsoft admitted that this vulnerability could be used by attackers of all sorts. "An attacker could try to compromise a Web site and have it display malicious content. Additionally, it could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems," read the bulletin.

"How many times can this [kind of vulnerability] happen?" asked Murray.

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company maintains, such as Windows Server Update Services (WSUS) or Software Update Services (SUS).

However, Microsoft listed a caveat for the embedded Web font bug spelled out in MS06-002. Although the flaw affects Windows 98 and Millennium users, Microsoft doesn't have a patch ready yet for those operating systems.

"They will be made available as soon as possible," was all Microsoft said in the bulletin on timing.

Windows 98 and Millennium reached the end of their support lifespan in June, 2005; while Microsoft had pledged to continue deploying fixes for critical flaws, it recently declined to patch the Windows Metafile problem for those OSes.

Editor's Choice
James M. Connolly, Contributing Editor and Writer
Carrie Pallardy, Contributing Reporter
Roger Burkhardt, Capital Markets Chief Technology Officer, Broadridge Financial Solutions
Shane Snider, Senior Writer, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
John Edwards, Technology Journalist & Author