Errr this is a bit long.

Patch report
I applied the TNEF patch to two legacy Exchange 5.5 SP4 servers OK, although one did require a reboot. Definitely time to move from *that* platform though as that was the last patch for 5.5.

Further reading
There's a good article here outlining the seriousness of this flaw. It's definitely worth reading and bringing to the attention of your management team - and there are two very chilling paragraphs:

"You could take over an Exchange server with a single, simple email," he said. "From there you could target all the clients accessing that server. You would 'own' any Outlook client that connects to that server. Then an attacker could grab the Outlook users' address books.

"If you did it right, you could own every Outlook user in the world within a week," he said.
This is why I mentioned the Witty Worm in an earlier post (see this analysis of its spread if you don't know about it). Witty targetted firewalls and permiter security servers and basically infected 100% of vulnerable systems within a few hours and destroyed them. It was an unusual worm.. not just because of the speed it spread at and its destructiveness, but the fact that it targetted infrastructure rather than client PCs. You can see that it would be quite possible for a worm to target Exchange Servers only and spread at an incredibly fast rate untill all vulnerable servers because infected. Add a malicious payload onto the worm and... well.. it doesn't bear thinking about.

That's just the servers - of course the clients are vulnerable too and patching Office is a real pain in the backside unless you've upgraded to WSUS or some other patch management tool.. if you're still running SUS then you're gonna have to come out with an alternative plan to get systems patched.

Outlook versions
Worse still, I know a lot of people are still running Outlook 97 and 98. There's no mention of these on the MS web site, but we've all seen how these flaws go aaaaallllllllll the way back, so it's quite likely that these older systems are vulnerable too.

Workarounds
And I think the workarounds for this vulnerabilty suck. Filtering or blocking RTF formatted emails would lead potentially lead to too many important lost messages.

I put a filter on our incoming messages to take a copy of anything with "MS-TNEF" in the mail headers at the moment it looks like around 4% of incoming messages are formatted in this way. Still, it's worth considering as an option in case things start to go pear shaped. (For the record, I'm using Postini to do this).


I think this has the potential for being an extremely serious and hard to contain threat.