Maliciously Crafted Email Can Pwn Your Exchange Server
Severity: High
10 February, 2009
Summary:
This vulnerability affects: All current versions of Exchange Server
How an attacker exploits it: By sending a specially crafted email (no user interaction necessary)
Impact: An attacker can potentially gain control of your Exchange Server
What to do: Deploy the appropriate Exchange Server patch immediately
Maliciously Crafted Email Can Pwn Your Exchange Server
Severity: High
10 February, 2009
Summary:
This vulnerability affects: All current versions of Exchange Server
How an attacker exploits it: By sending a specially crafted email (no user interaction necessary)
Impact: An attacker can potentially gain control of your Exchange Server
What to do: Deploy the appropriate Exchange Server patch immediately
Exposure:
Microsoft Exchange is one of the most popular email servers used today.
In a security bulletin released today, Microsoft describes two security vulnerabilities that affect all current versions of Exchange. The worst of these flaws has to do with how Exchange handles any email that uses a special formatting called the Transport Neutral Encapsulation Format (TNEF). By sending a specially crafted TNEF email to any valid account, an attacker could exploit this vulnerability to execute code on your email server with the same privileges as the Exchange Server service account. In some cases, this special Exchange account has administrative privileges, which means an attacker could potentially exploit this vulnerability to gain complete control of your email server. Not only would this earn the attacker full access to your sensitive email, it also provides a valuable foothold for the attacker to penetrate the rest of your network. You should consider this flaw of the utmost risk and patch it immediately.
Microsoft’s bulletin also describes a lower risk Denial of Service (DoS) vulnerability in Exchange. However, the TNEF vulnerability alone should convince most administrators to patch right away.
Solution Path:
Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Exchange patch as soon as possible.
For All WatchGuard Users:
An attacker can only exploit this vulnerability by sending a specially crafted TNEF email which typically includes a TNEF attachment with the Application/MS-TNEF MIME type. To mitigate the risk of this vulnerability, you can use your Firebox’s SMTP proxy to block all attachments with the Application/MS-TNEF MIME type. Keep in mind, doing this will also block legitimate TNEF formatted emails. If you would like to block the TNEF MIME type, the help files below contain instructions on how to allow or block MIME types within our SMTP proxy:
Status:
Microsoft has released patches to fix these vulnerabilities.