Connections +
News

ISS warns against potential Microsoft Exchange worm

Enterprise security software vendor Internet Security Systems Inc. (ISS) has cautioned computer users that a vulner...


May 10, 2006  


Print this page

Enterprise security software vendor Internet Security Systems Inc. (ISS) has cautioned computer users that a vulnerability announced today in the Microsoft Exchange calendar feature could lead to a worm.

ISS is providing customers with ahead-of-the-threat protection for this issue through its proprietary Virtual Patch technology.

“The widespread adoption of Microsoft Exchange and its built-in calendar functionality within the enterprise, combined with the unauthenticated remote access nature of the mail service, means that attackers will race to develop exploit material for this vulnerability,” said Gunter Ollmann, director of the company’s research and development team.

“What is most concerning is that exploitation of this vulnerability does not require any user interaction whatsoever.” As part of its monthly security updates, Microsoft today issued an advisory for a vulnerability in the way Microsoft Exchange Server handles malformed calendar attachments.

Exchange Server is unable to properly recover from an invalid property being sent as part of the calendar attachment and may subsequently overwrite data.

The vulnerability could allow an unauthenticated attacker to send a specially crafted e-mail message to a Microsoft Exchange Server and cause a denial of service condition or potentially execute arbitrary code.

In order to compromise a machine and propagate itself, a malformed attachment would not have to be read by the message recipient.

“In order to take advantage of this vulnerability, a maliciously-crafted e-mail would simply have to reach an organization’s Exchange Server,” said Ollmann. “This makes conditions ripe for the creation of a mail-centric worm.”

Successful exploitation of this vulnerability could be used to obtain unauthorized access to networks and machines, leading to exposure of confidential information, loss of productivity and further network compromise.

The ISS X-Force alert on this vulnerability can be found at: http://xforce.iss.net/xforce/alerts/id/221.