2006-01-11 16:01 Age: 6 yrs

[Microsoft Alert] Microsoft Security Bulletin MS06-003

Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

Issued: January 10, 2006

Version: 1.0

 

Summary

 

Who should read this document: Customers who use Microsoft Outlook, Microsoft Exchange, or customers who have the Microsoft Office Multilingual User Interface (MUI) Packs, Microsoft Multilanguage Packs or Microsoft Office 2003 Language Interface Packs (LIPS) installed.

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Critical

Recommendation: Customers should apply the update immediately.

Security Update Replacement: None.

 

Vulnerability Details:

A remote code execution vulnerability exists in Microsoft Outlook and Microsoft Exchange Server because of the way that it decodes the Transport Neutral Encapsulation Format (TNEF) MIME attachment.

An attacker could exploit the vulnerability by constructing a specially crafted TNEF message that could potentially allow remote code execution when a user opens or previews a malicious e-mail message or when the Microsoft Exchange Server Information Store processes the specially crafted message.

An attacker who successfully exploited this vulnerability could take complete control of an affected system.

 

Affected Software:

Microsoft Office 2000 Service Pack 3

Microsoft Office 2000 Software:

Microsoft Outlook 2000

Microsoft Office 2000 MultiLanguage Packs

Microsoft Outlook 2000 English MultiLanguage Packs

 

Microsoft Office XP Service Pack 3

Microsoft Office XP Software:

Microsoft Outlook 2002

Microsoft Office XP Multilingual User Interface Packs

 

Microsoft Office 2003 Service Pack 1 and Service Pack 2

Microsoft Office 2003 Software:

Microsoft Outlook 2003

Microsoft Office 2003 Multilingual User Interface Packs

Microsoft Office 2003 Language Interface Packs

 

Microsoft Exchange Server

Microsoft Exchange Server 5.0 Service Pack 2

Microsoft Exchange Server 5.5 Service Pack 4

Microsoft Exchange 2000 Server Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004

 

 

 

References: http://www.microsoft.com/security/bulletins/current.mspx (Microsoft Security Updates)

<- Back to: Security Alert Listing





2009-08-14 14:35

TA09-223A: Microsoft Updates for Multiple Vulnerabilities

2009-08-14 14:35

TA09-218A: Apple Updates for Multiple Vulnerabilities

2009-08-14 14:35

TA09-209A: Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities

2009-08-14 14:35

TA09-204A: Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products

2009-08-14 14:35

TA09-195A: Microsoft Updates for Multiple Vulnerabilities

2009-07-13 10:42

TA09-187A: Microsoft Video ActiveX Control Vulnerability

2009-07-13 10:42

TA09-160A: Microsoft Updates for Multiple Vulnerabilities

2009-07-13 10:42

TA09-161A: Adobe Acrobat and Reader Vulnerabilities

2009-07-13 10:42

TA09-133B: Adobe Reader and Acrobat JavaScript Vulnerabilities

2009-07-13 10:42

TA09-133A: Apple Updates for Multiple Vulnerabilities

  |    |