{"vuid":"VU#252146","idnumber":"252146","name":"Microsoft Outlook and Microsoft Exchange TNEF decoding buffer overflow","keywords":["Microsoft","MS06-003","buffer overflow","TNEF","Outlook","Exchange"],"overview":"Microsoft Outlook and Microsoft Exchange contain a buffer overflow vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a system running the vulnerable software.","clean_desc":"Transport Neutral Encapsulation Format (TNEF) TNEF is a proprietary Microsoft format for encoding rich text email messages. Microsoft Outlook and Microsoft Exchange support the use of TNEF-encoded messages. The problem Microsoft Outlook and Microsoft Exchange do not properly validate TNEF MIME attachments, potentially allowing a buffer overflow to occur. The overflow occurs in in the process that decodes TNEF MIME attachments. A remote attacker may be able trigger the buffer overflow by sending a specially crafted TNEF MIME attachment to a vulnerable Outlook or Exchange installation. Note that on user workstations, exploitation may require a user to open or preview a malicious mail message in Outlook. However, on Exchange servers, this vulnerability can be exploited without human interaction. For more information, please see Microsoft Security Bulletin MS06-003.","impact":"A remote, unauthenticated attacker may be able to execute arbitrary code on a system running the vulnerable software. Microsoft Outlook can trigger the vulnerability when it opens or displays a preview for a specially crafted message. Microsoft Exchange can trigger the vulnerability when it processes a specially crafted message.","resolution":"Apply a patch from your vendor\nMicrosoft addresses this vulnerability with the updates listed in Microsoft Security Bulletin MS06-003.","workarounds":"Workarounds Microsoft has listed several workarounds in Microsoft Security Bulletin MS06-003, including blocking attachments with the MIME type of application/ms-tnef.","sysaffected":"","thanks":"This vulnerability was reported by Microsoft, who in turn credit John Heasman and Mark Litchfield of NGS Software.","author":"This document was written by Will Dormann and Jeff Gennari.","public":["http://www.microsoft.com/technet/security/bulletin/ms06-003.mspx","http://support.microsoft.com/kb/224817","http://support.microsoft.com/kb/290809"],"cveids":["CVE-2006-0002"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2006-01-10T19:38:03Z","publicdate":"2006-01-10T00:00:00Z","datefirstpublished":"2006-01-10T20:06:45Z","dateupdated":"2006-01-17T01:26:53Z","revision":22,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"4","cam_widelyknown":"10","cam_exploitation":"0","cam_internetinfrastructure":"17","cam_population":"20","cam_impact":"18","cam_easeofexploitation":"7","cam_attackeraccessrequired":"20","cam_scorecurrent":"25.515","cam_scorecurrentwidelyknown":"34.965","cam_scorecurrentwidelyknownexploited":"53.865","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":25.515,"vulnote":null}