Outlook TNEF flaw could be much worse than WMF flaw

By Justin Mann on
Despite just having dealt with a very serious WMF flaw that ended up with users creating their own patches, it seems that IT Staffing won't get much of a reprieve. Critical flaws discovered in Outlook 2003, Outlook 2000, Exchange Server 2000, Exchange Server 5.5 and Exchange Server 5.0 could lead to a huge amount of compromised machines. The exploit lies in the way these programs handle TNEF Mime content. A particularly crafted e-mail is all it takes, and all an Outlook client has to do is open or preview the message. On the server side, when Exchange's “Information Store” processes the message, it can be compromised.

"An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code on an affected computer with the privileges of the user viewing a malicious image," Symantec said. "An attacker may gain system privileges if an administrator views the malicious file. Local code execution may also facilitate a complete compromise."
This could end up being a much worse case than the WMF flaw, which resulted in a lot of headaches and many infected machines. Apparently, this has been known about for close to 3 months. Hopefully, Microsoft will wise up in the future and not wait extreme long amounts of time before fixing things like this, as Outlook and Exchange make up a huge amount of clients in the office environment.

Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...
Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.