Microsoft patches Exchange, Outlook, Windows

LATEST NEWS

Computerworld is New Zealand's only specialised information systems fortnightly.
Subscribe now for $100 (23 issues) and save more than 37% off the cover price!

Get the latest news from Computerworld delivered via email.
Sign up now

The bugs could allow an attacker to take complete control of an affected system

By By Robert McMillan | San Fransisco | Thursday, 12 January, 2006

Microsoft has released patches for two critical security flaws in its software products. The patches fix a problem in the Windows operating system, as well as a bug in the Outlook and Exchange messaging software, all of which could theoretically be exploited by attackers to seize control of an unpatched computer.

The Windows bug relates to the way the OS processes embedded web fonts, which are used by web page authors to ensure that their pages are displayed exactly as intended. By tricking a user into visiting a web page with a specially formed embedded web font, an attacker could, in theory, "take complete control of an affected system," Microsoft warns on its web site.

The second vulnerability relates to the TNEF (Transport Neutral Encapsulation Format) encoding format used by Outlook and Exchange. In theory, attackers could send specially crafted email messages to unpatched Exchange servers or Outlook clients that could then be used to seize control of the systems running the messaging software.

Because hackers have not yet published code that shows how to exploit these bugs, the two vulnerabilities are not considered as dangerous as the Windows WMF (Windows Metafile Format) flaw that Microsoft patched late last week. But the flaws are critical, and security experts suggest that it may only be a matter of time before they are exploited.

The web fonts bug seems like it will be the easier of the two for attackers to exploit, says Alain Sergile, technical product manager for Internet Security Systems's X-Force research team. But because the TNEF bug can affect server software as well as the client, it is particularly noteworthy, he says. "We deem this one very critical and very serious because of the criticality of Exchange within organisations," he says.

Microsoft rates the web fonts bug as critical for Windows 98, 2000 and XP users. The TNEF flaw is rated critical for Outlook 2000, 2002 and 2003, as well as Exchange Server 5.0 and 5.5 and Exchange 2000 server. This latter flaw also affects users running the Office Multilingual User Interface Packs.