HighProventia Network IPS, Proventia Desktop, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia-G 1.1 and earlier, Proventia Network MFS, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects specially crafted TNEF data that is capable of permitting arbitrary code execution on some versions of Microsoft Exchange Server and also Microsoft Outlook.
This signature detects specially crafted TNEF data that is capable of permitting arbitrary code execution on some versions of Microsoft Exchange Server.
High
Proventia Network IPS: XPU 29.020, Proventia Desktop: 2360, BlackICE PC Protection: 3.6crp, RealSecure Server Sensor: XPU 29.020, RealSecure Network: XPU 29.020, Proventia-G 1.1 and earlier: XPU 29.020, Proventia Network MFS: XPU 29.020, Proventia Network IDS: XPU 29.020, IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.300.2360, IBM Security Server Protection for Windows: 1.0.914.2360, BlackICE Server Protection: 3.6.crp, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 29.020
Microsoft Exchange Server: 2003 SP1, Microsoft Exchange Server: 2000 SP3, Microsoft Exchange Server: 2000 SP2, Microsoft Exchange Server: 2003, Avaya Message Application Server, Microsoft Exchange Server: 2000 SP1, Microsoft Exchange Server: 2003 SP2, Microsoft Exchange Server: 2007, Microsoft Exchange Server: 2007 SP1, Microsoft Exchange Server MAPI Client and Collaboration Data Objects: 1.2.1, Avaya Message Application Server: MM 1.1, Avaya Message Application Server: MM 2.0, Avaya Message Application Server: MM 3.0, Avaya Message Application Server: MM 3.1
Unauthorized Access Attempt
Microsoft Exchange Server could allow a remote attacker to execute arbitrary code on the system, caused by improper decoding of Transport Neutral Encapsulation Format (TNEF) message data. By sending a specially-crafted TNEF message to a vulnerable Exchange Server, a remote attacker could exploit this vulnerability to corrupt memory and execute arbitrary code on the system, once the Exchange Server Information Store processes the message or a victim opens the message.
Apply the appropriate patch for your system, as listed in Microsoft Security Bulletin MS09-003. See References.
Microsoft Security Bulletin MS09-003
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
http://www.microsoft.com/technet/security/bulletin/MS09-003.mspx
IBM Internet Security Systems Protection Alert February 10, 2009
Microsoft Exchange Server TNEF Remote Code Execution
http://www.iss.net/threats/318.html
ISS X-Force
Microsoft Exchange Server TNEF decoding code execution
http://www.iss.net/security_center/static/47670.php
CVE
CVE-2009-0098
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0098