| Check Point Reference: |
CPAI-2006-002 |
| Date Published: |
11 Jan 2006 |
| Severity: |
High
|
| Last Updated: |
Tuesday 08 May, 2007 |
| Source: |
Microsoft Security Bulletin MS06-003 |
| Industry Reference: | CVE-2006-0002 |
| Protection Provided by: |
|
| Who is Vulnerable? | Microsoft Exchange Server 5.0
Microsoft Exchange Server 5.5
Microsoft Exchange Server 2000
Microsoft Outlook 2000
Microsoft Outlook 2002
Microsoft Outlook 2003 |
| Vulnerability Description |
A vulnerability exists in the way Microsoft Exchange server and Microsoft Outlook products handle the decoding of the Transport Neutral Encapsulation (TNEF) MIME attachment. The TNEF format is used by many Microsoft products such as Exchange and Outlook to transfer messages formatted as Rich Text Format (RTF). An attacker can supply a crafted TNEF attachment and take complete control of an affected system. |
| Vulnerability Status | No exploit has been published so far. |
| Update/Patch Avaliable | Please review Microsoft Security Bulletin MS06-003 for a complete list of affected products and their patches:
http://www.microsoft.com/technet/security/bulletin/MS06-003.mspx |
| Vulnerability Details | A vulnerability exists in the component responsible for TNEF decoding in Microsoft Exchange server and Microsoft Outlook products. These products fail to properly validate several object value sizes in a TNEF attachment. The values describing an object size supplied in a message are not specified within certain ranges, allowing for overly large values to be specified. |
Feedback