Expert: Microsoft TNEF flaw could lead to superworm

By Bill Brenner, Senior News Writer 10 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

IT administrators won't have much chance to breathe after deploying the patch Microsoft rushed out last week for the Windows Meta File (WMF) glitch. Microsoft unloaded two more critical fixes Tuesday for security holes in Windows, Outlook and Exchange Server.

One security expert worries that the hole affecting Outlook and Exchange Server could be exploited to cause major damage. The flaw is in how those programs decode Transport Neutral Encapsulation Format (TNEF) MIME attachments.

"An attacker could exploit the vulnerability by constructing a specially crafted TNEF message that could potentially allow remote code execution when a user opens or previews a malicious e-mail message, or when the Microsoft Exchange Server Information Store processes the specially crafted message," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

Mike Murray, director of vulnerability and exposure research for San Francisco-based nCircle Network Security Inc., said if the attackers were motivated to exploit the flaw in spectacular fashion, they could concoct a worm that attacks the entire transit path of an infected e-mail, potentially making it the fastest-spreading worm on record.

"The vulnerability is on the server and client side," he said. "So if I'm the bad guy and I send you an infected e-mail, I can exploit every Exchange server between me and you. Mail travels through multiple servers along the way."

Murray added that such a scenario is hardly a given. "I'm not saying that will happen," he said, "but there are some clever bad guys out there."

The other bulletin addresses a flaw in how Windows handles malformed embedded Web fonts. "An attacker could exploit the vulnerability by constructing a malicious embedded Web font that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message," Microsoft said.

Like the TNEF flaw, the software giant said, "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

If the TNEF flaw is as bad as Murray suggested, IT shops that are just getting over the WMF problem could be in for a few more difficult days. Microsoft's out-of-cycle fix for the WMF flaw came after the digital underground was able to launch countless attacks against it.

And Monday, Cupertino, Calif.-based AV giant Symantec Corp. warned of two more WMF flaws.

"An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code on an affected computer with the privileges of the user viewing a malicious image," Symantec said. "An attacker may gain system privileges if an administrator views the malicious file. Local code execution may also facilitate a complete compromise."

Symantec said the first vulnerability is triggered "when the 'WMFRECORD.Function,PlayMetaFileRecord' value of the WMFRECORD structure is set to 0xff followed by supplying malicious values for 'Parameters.All_PointtStruct_Num' and 'PointtStruct.PointNum.' This causes the 'PointtStruct' structure to trigger an access violation error."

The firm said the second issue is triggered "when a large value such as 0xffff is supplied to the 'cbInput' parameter and a small value is supplied to 'szInData' parameter of the 'ExtEscape' function. This also causes an access violation error."

On the plus side, the TNEF fix is out and could be deployed ahead of any attack, unlike the situation that existed before the WMF patch was released.

"System administrators are advised to deploy the associated patches as soon as possible," Symantec told customers of its DeepSight Threat Management System in an e-mail.

Tags: Malware, Viruses, Trojans and Spyware,  Windows Security: Alerts, Updates and Best Practices,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated Windows Security: Alerts, Updates and Best Practices Microsoft to address flaws in Windows, Office for Mac Microsoft fixes security update that breaks Internet Explorer What is the best database patch management process? Microsoft addresses critical SMBv2 flaw, fixes record number of flaws Microsoft to address SMB zero-day, IIS FTP Service vulnerabilities Microsoft releases temporary fix for SMB2 zero-day vulnerability Microsoft issues SMB vulnerability advisory, patch pending Attackers target Microsoft IIS; new SMB flaw discovered Microsoft repairs Windows media, TCP/IP vulnerabilities Microsoft five critical updates won't include IIS

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary