Article

Expert: Microsoft TNEF flaw could lead to superworm

Bill Brenner, Senior News Writer

IT administrators won't have much chance to breathe after deploying the patch Microsoft rushed out last week for the Windows Meta File (WMF) glitch. Microsoft unloaded two more critical fixes Tuesday

    Requires Free Membership to View

for security holes in Windows, Outlook and Exchange Server.

One security expert worries that the hole affecting Outlook and Exchange Server could be exploited to cause major damage. The flaw is in how those programs decode Transport Neutral Encapsulation Format (TNEF) MIME attachments.

"An attacker could exploit the vulnerability by constructing a specially crafted TNEF message that could potentially allow remote code execution when a user opens or previews a malicious e-mail message, or when the Microsoft Exchange Server Information Store processes the specially crafted message," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

Mike Murray, director of vulnerability and exposure research for San Francisco-based nCircle Network Security Inc., said if the attackers were motivated to exploit the flaw in spectacular fashion, they could concoct a worm that attacks the entire transit path of an infected e-mail, potentially making it the fastest-spreading worm on record.

"The vulnerability is on the server and client side," he said. "So if I'm the bad guy and I send you an infected e-mail, I can exploit every Exchange server between me and you. Mail travels through multiple servers along the way."

Murray added that such a scenario is hardly a given. "I'm not saying that will happen," he said, "but there are some clever bad guys out there."

The other bulletin addresses a flaw in how Windows handles malformed embedded Web fonts. "An attacker could exploit the vulnerability by constructing a malicious embedded Web font that could potentially allow remote code execution if a user visited a malicious Web site or viewed a specially crafted e-mail message," Microsoft said.

Like the TNEF flaw, the software giant said, "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

If the TNEF flaw is as bad as Murray suggested, IT shops that are just getting over the WMF problem could be in for a few more difficult days. Microsoft's out-of-cycle fix for the WMF flaw came after the digital underground was able to launch countless attacks against it.

And Monday, Cupertino, Calif.-based AV giant Symantec Corp. warned of two more WMF flaws.

"An attacker may leverage these issues to carry out a denial-of-service attack or execute arbitrary code on an affected computer with the privileges of the user viewing a malicious image," Symantec said. "An attacker may gain system privileges if an administrator views the malicious file. Local code execution may also facilitate a complete compromise."

Symantec said the first vulnerability is triggered "when the 'WMFRECORD.Function,PlayMetaFileRecord' value of the WMFRECORD structure is set to 0xff followed by supplying malicious values for 'Parameters.All_PointtStruct_Num' and 'PointtStruct.PointNum.' This causes the 'PointtStruct' structure to trigger an access violation error."

The firm said the second issue is triggered "when a large value such as 0xffff is supplied to the 'cbInput' parameter and a small value is supplied to 'szInData' parameter of the 'ExtEscape' function. This also causes an access violation error."

On the plus side, the TNEF fix is out and could be deployed ahead of any attack, unlike the situation that existed before the WMF patch was released.

"System administrators are advised to deploy the associated patches as soon as possible," Symantec told customers of its DeepSight Threat Management System in an e-mail.