Microsoft Fixes Nasty Outlook, Exchange E-Mail Bug
Microsoft serves up two more "Critical" bug fixes, including one for a bug that allows attackers to hack into any Exchange server or Outlook owner's PC just by sending a malformed E-mail message.
Microsoft's security problems didn't improve much Tuesday, when it followed last week's out-of-cycle fix of a major bug with two more "Critical" vulnerabilities, including one that allows attackers to hack into any Exchange server or Outlook owner's PC just by sending a malformed e-mail message.
The most dangerous of the two new vulnerabilities is the one spelled out in MS06-003, argued Mike Murray, director of research at vulnerability management vendor nCircle.
"This one isn't an MSBlast-style bug, but it's severe enough that if someone is clever, they'll come up with a quickly-propagating worm that will do some major damage," said Murray.
The problem, he added, is that it's a "dual opportunity vulnerability," since it impacts both Outlook, Microsoft's main e-mail client, and the Exchange mail server software.
"This one's going to be really interesting to watch," said Murray, "because it has two vectors, Exchange as well as Outlook. An attacker could e-mail one message to 100 people and compromise 15 servers and 100 people all at the same time."
Outlook and Exchange are vulnerable because of the way they decode the Transport Neutral Encapsulation Format (TNEF) MIME attachment. TNEF is used by Exchange and Outlook when sending and processing messages formatted as Rich Text Format (RTF), one of the formatting choices available to Outlook users (the others are Plain Text and HTML).
An attacker could gain full control of a Windows PC by sending a specially-formatted message to an Exchange Server and/or Outlook 2000, 2002, or 2003 user; unlike other attacks, ones based on this vulnerability wouldn't have to dupe users into opening e-mail attachments. Simply receiving such a message through an Exchange server is enough for a successful attack.
"If an attacker figures out how to craft two different payloads, one that affects the servers, the other that hits Outlook clients, you're going to see a really different worm, one with a unique propagation," warned Murray.
Microsoft's work-around for those who couldn't immediately apply the patch is to strip out all Rich Text-formatted messages at the gateway. But that, said Murray, might be impossible for enterprises. "I still get about 10 percent of my e-mail from people using Rich Text format. If a company starts stripping out 10 percent of its mail, it's going to have some serious e-mail issues."
The second bulletin of Tuesday, MS06-002, outlines a vulnerability in how Windows processes embedded Web fonts. An attacker could use malformed fonts in either a site or an HTML e-mail message to hack into a PC, said Microsoft's bulletin, which warned that "an attacker who successfully exploited this vulnerability could take complete control of an affected system."
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Digital Transformation Myths & TruthsTransformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.