Security experts are advising Windows managers to apply the latest Microsoft patches quickly since it affects two...
of the most widely used Microsoft products: Outlook and Exchange.
The paramount concern is the critical TNEF (Transport Neutral Encapsulation Format) flaw addressed in MS06-003. If a hacker finds a way to take advantage of the weakness, it could impact older versions of Exchange server as well as Outlook.
Next Generation Security Software Ltd, a U.K.-based security consulting firm credited with finding the TNEF exploit, believes it has the potential to be far more devastating than the Microsoft Windows Meta File (WMF) flaw.
"With WMF, a corporation could block access to problem sites," said John Heasman, a principal security consultant with the firm. "But, whereas all companies rely on e-mail, this has the potential to be much worse."
What has security analysts most concerned is that one malicious e-mail is all that is necessary to launch a worm-type attack on the system that receives it. A worm, which is a self-replicating virus typically spread by e-mail, could potentially be processed by an Exchange server and then target all Outlook clients accessing that system. The flaw does not affect Exchange Server 2003, but Outlook 2003 and other recent versions are not protected.
"This requires no user interaction," said Alain Sergile, a technical products manager with Internet Security System Inc.'s X-Force team in Atlanta. "Outlook has a broad footprint, and that makes this much more significant."
Chatter among users had a much calmer tone. Patch management forums, such as the patchmanagement.org mailing list run by Shavlik Technologies in Roseville, Minn., did not contain any discussions about the concern surrounding MS06-003. Windows administrators on that list were not reporting any major problems with deploying the patch either.
There was little buzz among users that consultant Lee Benjamin speaks to regularly. The owner of Exchange Guy Consulting in Boston said he normally hears if there is a big security issue with Exchange server.
"I had not heard about it yet," said Benjamin. "But for shops who apply fixes quickly, this should not be a problem."