February 2009 Black Tuesday Report - Critical Exchange Server Patch

We interrupt our regularly scheduled Valentine's Day Spam Countdown for an important message about Microsoft Black Tuesday. Yesterday's patches contain a special one for Exchange Server administrators.

The Patch, labeled MS09-003, addresses a vulnerability in "Transport Neutral Encapsulation", or TNEF attachments. These are the ones that non-Exchange users frequently see as a "winmail.dat" file. Basically, its possible for an attacker to create a Rich Text Format file (.RTF) or an X.400 attachment, and send it using TNEF in such a way that when your Exchange Server processes the message, it can corrupt memory on the server, allowing the attacker to remotely execute "arbitrary commands".

It is at least provable in theory that an email message can be crafted then, to execute any command it wants to on your Exchange Server.

The National Vulnerability Database labels this CVE-2009-0098 and gives this Overview:

Microsoft Exchange 2000 Server SP3, Exchange Server 2003 SP2, and Exchange Server 2007 SP1 do not properly interpret Transport Neutral Encapsulation (TNEF) properties, which allows remote attackers to execute arbitrary code via a crafted TNEF message, aka "Memory Corruption Vulnerability."

A second related bug allows an embedded MAPI command to be used to cause the Microsoft Exchange System Attendant service and other services that use EMSMDB32 to stop responding to messages, which would pretty much hang Exchange.

That sound pretty much like a Must Patch Now situation. Exploit code has not been seen in the wild yet, and Microsoft's Exploitability Index prediction is that "Inconsistent Exploit Code is Likely" with the most probable result leading to "Denial of Service". The "Remote Execution of Arbitrary Code" sounds like it would be much more challenging to pull off.

Bogdan Materna of VoIPShield Systems is thanked by Microsoft for reporting the underlying issue that lead to MS09-003.

---

The other big one this month is the standard Internet Explorer Security Roll-up patch. This one is MS09-002 and has two new ways for website authors to add code to their web pages to give them the ability to execute arbitrary code on your windows computer with the same rights as the logged in user.

The first vulnerability is called an "Uninitialized Memory Corruption Vulnerability" and deals with the security context for deleted items.

The second vulnerability is called a "CSS Memory Corruption Vulnerability" and is an attack based on how IE handles Cascading Style Sheets.

The recommended work-around is the same as it always has been for Internet Explorer. Create a "Trusted Sites" zone in your IE settings, and only allow programs to use ActiveX or Active Scripting if they are in your Trusted sites zone!

A special caution is given about surfing the web as Administrator as well . . .

"If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

This latter set of vulnerabilities was shared with Microsoft by Tipping Point and the Zero Day Initiative. Sam Thomas, who works with both, is credited with the CSS Memory Corruption.

We'll be back with more Valentine's Day Spam from the UAB Spam Data Mine tomorrow.