Monday, January 23, 2006

Reason #2,463 not to run Windows

The latest discovered security problem with Exchange and Outlook is a real humdinger. Before I go farther, the disclaimer: I do have a dog in this particular fight as the product sets I work on are, to some degree, in direct competition with Exchange.

There is a bug in Exchange 5.0, 5.5 and 2000 server and apparently all versions of Outlook in their TNEF (Transport Neutral Encapsulation Format) parsing library. The bug can be exploited by sending an email. Opening the email or clicking on an attachment is not required. Exercise of the bug can turn over control of the entire machine to the code embedded in message. Lovely.

Being an anti-Microsoft biggot, my personal recommendation is always to avoid running their code in general (hence the title). In this case, I would strongly urge going to Thunderbird or some other email client at least until they have a patch out and you have applied it. All modern versions of Exchange support IMAP and most IMAP clients work just fine with it. I have no clue how you protect an Exchange server... if at all. If you are responsible for one I would suggest looking into that post haste before the inevitable worm(s) exploiting this starts its way around the net.

From the article on serverpipeline:
"You could take over an Exchange server with a single, simple e-mail," he said. "From there you could target all the clients accessing that server. You would 'own' any Outlook client that connects to that server. Then an attacker could grab the Outlook users' address books.

"If you did it right, you could own every Outlook user in the world within a week," he said.