{"id":4108,"date":"2006-01-11T07:08:36","date_gmt":"2006-01-11T07:08:36","guid":{"rendered":"http:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/e-commerce\/microsoft-windows-outlook-and-exchange-vulnerabilities.html"},"modified":"2006-01-11T07:08:36","modified_gmt":"2006-01-11T07:08:36","slug":"microsoft-windows-outlook-and-exchange-vulnerabilities","status":"publish","type":"post","link":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/technology\/microsoft-windows-outlook-and-exchange-vulnerabilities.html","title":{"rendered":"Microsoft Windows, Outlook, and Exchange Vulnerabilities"},"content":{"rendered":"

I thought I would pass this security alert on. Seems like a lot of security problems this past few weeks. I am looking forward to more secure operating systems\/software in the future.<\/p>\n

———————<\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>\u00a0\u00a0\u00a0\u00a0\u00a0<\/span>National Cyber Alert System<\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span>Technical Cyber Security Alert TA06-010A<\/p>\n

Microsoft Windows, Outlook, and Exchange Vulnerabilities<\/p>\n

\u00a0\u00a0 <\/span>Original release date: January 10, 2006
\u00a0\u00a0 <\/span>Last revised: January 10, 2006
\u00a0\u00a0 <\/span>Source: US-CERT<\/p>\n

Systems Affected<\/p>\n

\u00a0\u00a0\u00a0\u00a0 <\/span>* Microsoft Windows
\u00a0\u00a0\u00a0\u00a0 <\/span>* Microsoft Outlook
\u00a0\u00a0\u00a0\u00a0 <\/span>* Microsoft Exchange<\/p>\n

\u00a0\u00a0 <\/span>For more complete information, refer to the Microsoft Security
\u00a0\u00a0 <\/span>Bulletin Summary for January 2006.<\/p>\n

Overview<\/p>\n

\u00a0\u00a0 <\/span>Microsoft has released updates that address critical vulnerabilities
\u00a0\u00a0 <\/span>in Windows, Outlook, and Exchange. Exploitation of these
\u00a0\u00a0 <\/span>vulnerabilities could allow a remote, unauthenticated attacker to
\u00a0\u00a0 <\/span>execute arbitrary code or cause a denial of service on a vulnerable
\u00a0\u00a0 <\/span>system.<\/p>\n

I.<\/place> Description<\/p>\n

\u00a0\u00a0 <\/span>Microsoft Security Bulletins for January 2006 address vulnerabilities
\u00a0\u00a0 <\/span>in Microsoft Windows, Outlook, and Exchange. Further information is
\u00a0\u00a0 <\/span>available in the following US-CERT Vulnerability Notes:<\/p>\n

\u00a0\u00a0 <\/span>VU#915930 – Microsoft embedded web font buffer overflow <\/p>\n

\u00a0\u00a0 <\/span>A heap-based buffer overflow in the way Microsoft Windows processes
\u00a0\u00a0 <\/span>embedded web fonts may allow a remote, unauthenticated attacker to
\u00a0\u00a0 <\/span>execute arbitrary code on a vulnerable system.
\u00a0\u00a0 <\/span>(CVE-2006-0010)<\/p>\n

\u00a0\u00a0 <\/span>VU#252146 – Microsoft Outlook and Microsoft Exchange TNEF decoding
\u00a0\u00a0 <\/span>vulnerability <\/p>\n

\u00a0\u00a0 <\/span>Microsoft Outlook and Microsoft Exchange contain an unspecified
\u00a0\u00a0 <\/span>vulnerability in processing TNEF attachments. This may allow a remote,
\u00a0\u00a0 <\/span>unauthenticated attacker to execute arbitrary code on a system running
\u00a0\u00a0 <\/span>the vulnerable software.
\u00a0\u00a0 <\/span>(CVE-2006-0002)<\/p>\n

II. Impact<\/p>\n

\u00a0\u00a0 <\/span>Exploitation of these vulnerabilities may allow a remote,
\u00a0\u00a0 <\/span>unauthenticated attacker to execute arbitrary code with the privileges
\u00a0\u00a0 <\/span>of the user. If the user is logged on with administrative privileges,
\u00a0\u00a0 <\/span>the attacker could take complete control of an affected system. An
\u00a0\u00a0 <\/span>attacker may also be able to cause a denial of service.<\/p>\n

III. Solution<\/p>\n

Apply Updates<\/p>\n

\u00a0\u00a0 <\/span>Microsoft has provided the updates for these vulnerabilities in the
\u00a0\u00a0 <\/span>Security Bulletins and on the Microsoft Update site.<\/p>\n

Workarounds<\/p>\n

\u00a0\u00a0 <\/span>Please see the US-CERT Vulnerability Notes in Appendix A for workarounds.<\/p>\n

Appendix A. References<\/p>\n

\u00a0\u00a0\u00a0\u00a0 <\/span>* Microsoft Security Bulletin Summary for January 2006 –
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><http:\/\/www.microsoft.com\/technet\/security\/bulletin\/ms06-jan.mspx<\/a>><\/p>\n

\u00a0\u00a0\u00a0\u00a0 <\/span>* US-CERT Vulnerability Note VU#915930 –
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><http:\/\/www.kb.cert.org\/vuls\/id\/915930<\/a>><\/p>\n

\u00a0\u00a0\u00a0\u00a0 <\/span>* US-CERT Vulnerability Note VU#252146 –
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><http:\/\/www.kb.cert.org\/vuls\/id\/252146<\/a>><\/p>\n

\u00a0\u00a0\u00a0 <\/span>\u00a0<\/span>* CVE-2006-0002 –
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2006-0002<\/a>><\/p>\n

\u00a0\u00a0\u00a0\u00a0 <\/span>* CAN-2006-0010 –
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 <\/span><http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2006-0010<\/a>><\/p>\n

\u00a0\u00a0\u00a0\u00a0 <\/span>* Microsoft Update – <https:\/\/update.microsoft.com\/microsoftupdate<\/a>><\/p>\n

\u00a0<\/span>____________________________________________________________________<\/p>\n

\u00a0\u00a0 <\/span>The most recent version of this document can be found at:<\/p>\n

\u00a0\u00a0\u00a0\u00a0 <\/span><http:\/\/www.us-cert.gov\/cas\/techalerts\/TA06-010A.html<\/a>>
\u00a0<\/span>____________________________________________________________________<\/p>\n

\u00a0\u00a0 <\/span>Feedback can be directed to US-CERT Technical Staff. Please send
\u00a0\u00a0 <\/span>email to <cert@cert.org> with "TA06-010A Feedback VU#915930" in the
\u00a0\u00a0 <\/span>subject.
\u00a0<\/span>____________________________________________________________________<\/p>\n

\u00a0\u00a0 <\/span>For instructions on subscribing to or unsubscribing from this
\u00a0\u00a0 <\/span>mailing list, visit <http:\/\/www.us-cert.gov\/cas\/signup.html<\/a>>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

I thought I would pass this security alert on. Seems like a lot of security problems this past few weeks. I am looking forward to more secure operating systems\/software in the future. ——————— \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0National Cyber Alert System \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Technical Cyber Security Alert TA06-010A Microsoft Windows, Outlook, and Exchange Vulnerabilities \u00a0\u00a0 Original release date: January<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[118],"tags":[284,226,273,473],"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/4108"}],"collection":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/comments?post=4108"}],"version-history":[{"count":0,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/posts\/4108\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/media?parent=4108"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/categories?post=4108"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.tmcnet.com\/blog\/rich-tehrani\/wp-json\/wp\/v2\/tags?post=4108"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}