Re: 2 critical vulns and the clock is ticking.. [Fwd: [EEYEB-2000801]]

[Matthew Murphy <mattmurphy () kc rr com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Gadi Evron wrote:
> OK, so we have an advisory for this. Fun.
>
> Any idea about the NGSsoftware one?
>
>     Gadi.

It appears that NGSSoftware's report is related to the TNEF
functionality that supports embedding COM/OLE/ActiveX objects into RTF
e-mail.  The MS bulletin states that TNEF files can contain "malicious
OLE objects" which I take to mean you can embed items that, when viewing
on them is triggered, execute code that may not be safe for a
mail-reading environment.

Exactly what that has to do with Exchange Server's role in processing
routed TNEF-encoded e-mail, I have no idea.

TNEF is only used to encode e-mail in Microsoft's proprietary "Rich
Text" format, which is a heavily-extended RTF.  Due to the information
leakage and incompatibility of TNEF with standards-compliant e-mail
readers, most servers and most users shouldn't have a need to send or
receive RTF e-mail with attached TNEF formatting information.

Stripping the relevant MIME type (I believe, application/x-ms-tnef)
should be sufficient.  It will reduce potentially-nasty RTF-encoded
e-mail to standard plain text.

- --
"Social Darwinism: Try to make something idiot-proof,
nature will provide you with a better idiot."

                                -- Michael Holstein

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)

iD8DBQFDxErrfp4vUrVETTgRA0KsAJ9db/mSRDl7luRN8QzicoN9JpUlewCfbzPD
uPUxmEluYbrlQGVVgxX3nTA=
=GunB
-----END PGP SIGNATURE-----

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.