Expert: Microsoft TNEF flaw could lead to superworm

By Bill Brenner, Senior News Writer 10 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

IT administrators won't have much chance to breathe after deploying the patch Microsoft rushed out last week for the Windows Meta File (WMF) glitch. Microsoft unloaded two more critical fixes Tuesday for security holes in Windows, Outlook and Exchange Server.

One security expert worries that the hole affecting Outlook and Exchange Server could be exploited to cause major damage. The flaw is in how those programs decode Transport Neutral Encapsulation Format (TNEF) MIME attachments.

"An attacker could exploit the vulnerability by constructing a specially crafted TNEF message that could potentially allow remote code execution when a user opens or previews a malicious e-mail message, or when the Microsoft Exchange Server Information Store processes the specially crafted message," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

Mike Murray, director of vulnerability and exposure research for San Francisco-based nCircle Network Security Inc., said if the attackers were motivated to exploit the flaw in spectacular fashion, they could concoct a worm that attacks the entire transit path of an infected e-mail, potentially making it the fastest-spreading worm on record.

"The vulnerability is on the server and client side," he said. "So if I'm the bad guy and I send you an infected e-mail, I can exploit every Exchange server between me and you. Mail travels through multiple servers along the way."

Murray added that such a scenario is hardly a given. "I'm not saying that will happen," he said, "but there are some clever bad guys out there."

The other bulletin addresses a flaw in how Windows handles malformed embedded Web fonts. "An attacker could exploit the vulnerability by constructing a malicious embedded Web font that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message," Microsoft said.

Like the TNEF flaw, the software giant said, "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

If the TNEF flaw is as bad as Murray suggested, IT shops that are just getting over the WMF problem could be in for a few more difficult days. Microsoft's out-of-cycle fix for the WMF flaw came after the digital underground was able to launch countless attacks against it.

And Monday, Cupertino, Calif.-based AV giant Symantec Corp. warned of two more WMF flaws.

"An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code on an affected computer with the privileges of the user viewing a malicious image," Symantec said. "An attacker may gain system privileges if an administrator views the malicious file. Local code execution may also facilitate a complete compromise."

Symantec said the first vulnerability is triggered "when the 'WMFRECORD.Function,PlayMetaFileRecord' value of the WMFRECORD structure is set to 0xff followed by supplying malicious values for 'Parameters.All_PointtStruct_Num' and 'PointtStruct.PointNum.' This causes the 'PointtStruct' structure to trigger an access violation error."

The firm said the second issue is triggered "when a large value such as 0xffff is supplied to the 'cbInput' parameter and a small value is supplied to 'szInData' parameter of the 'ExtEscape' function. This also causes an access violation error."

On the plus side, the TNEF fix is out and could be deployed ahead of any attack, unlike the situation that existed before the WMF patch was released.

"System administrators are advised to deploy the associated patches as soon as possible," Symantec told customers of its DeepSight Threat Management System in an e-mail.

Tags: Malware, Viruses, Trojans and Spyware,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware How to defend against rogue DHCP server malware New Trojan stealing FTP credentials, attacking FTP websites Cybercriminals exploit Michael Jackson, Farrah Fawcett deaths When BIOS updates become malware attacks Antispyware buying guide for Indian enterprises PCI compliance requirement 5: Antivirus Hacker attack techniques and tactics: Understanding hacking strategies Rootkit Hunter demo: Detect and remove Linux rootkits Botnet threats and countermeasures Conficker worm much smaller than feared Windows Security: Alerts, Updates and Best Practices When BIOS updates become malware attacks Microsoft patches WebDAV security vulnerability in bevy of updates Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Hackers targeting unpatched Microsoft DirectShow flaw Microsoft warns of IIS zero-day vulnerability Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw How to perform Microsoft Baseline Security Analyzer (MBSA) scans Microsoft patches serious Excel zero-day, Windows flaws Microsoft Stirling Beta 2 release includes Exchange SaaS offering

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com) Zotob  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary