Microsoft's Newest Bug Could Be Awful, Researcher Says

The Outlook and Exchange vulnerability disclosed by Microsoft Tuesday has the potential to become a much more virulent problem than the long-hyped Windows Metafile bug patched last week, said one of the e-mail flaw's discoverers Wednesday.

"What I find bizarre is that there's still all this focus on the WMF [Windows Metafile] bug," said Mark Litchfield, the director of NGS Software, a U.K.-based security company, and one of the two researchers credited by Microsoft with the discovery of the TNEF (Transport Neutral Encapsulation Format) vulnerability.

"This one has massive financial implications if someone exploits it," Litchfield said.

The TNEF vulnerability, which Microsoft spelled out in the MS06-003 security bulletin, is a flaw in how Microsoft's Outlook client and older versions of its Exchange server software decode the TNEF MIME attachment. TNEF is used by Exchange and Outlook when sending and processing messages formatted as Rich Text Format (RTF), one of the formatting choices available to Outlook users.

"All that's required to exploit this is an e-mail message," said Litchfield. No user interaction is needed to compromise an Exchange 5.0, 5.5, or 2000 server; all that's necessary is to deliver a maliciously-crafted e-mail to the server.It's that characteristic, as well as the ease with which an attack could spread, that has Litchfield so worried.

"You could take over an Exchange server with a single, simple e-mail," he said. "From there you could target all the clients accessing that server. You would 'own' any Outlook client that connects to that server. Then an attacker could grab the Outlook users' address books.

"If you did it right, you could own every Outlook user in the world within a week," he said.

Microsoft noted the severity of the bug by tagging it with its highest warning label, "Critical," and by providing a patch for Exchange 5.0 and 5.5, obsolete versions whose support technically ended Dec. 31, 2005. The newest server software, Exchange Server 2003, is immune to the bug, although current editions of Outlook, including Outlook 2003, are not.

"Slammer was bad because it was fast and quick," said Litchfield, referring to a rapidly-spreading network worm in early 2003 that caused an estimated $750 million in damages and repair costs. "All business relies on e-mail, so while an exploit here may not be as fast [as Slammer] in the way it spreads, the financial cost could be far greater."Although both NGS and Microsoft have withheld technical information about the vulnerability, Litchfield didn't hold out much hope of that stymieing hackers.

"We always withhold all technical information for 90 days, but that's not going to prevent people reverse engineering the Microsoft patches," he said. The practice is, in fact, common; attackers often have no idea that a vulnerability exists until a patch is released. By examining the fix, they can often backtrack to the bug, then figure out how to exploit it.

"I wouldn't be shocked to see proof-of-concept or exploit code within a week," said Litchfield.

"If you didn't patch yesterday, you'd better patch today."