ISS warns against potential Microsoft Exchange worm

Internet Security Systems, Inc. cautions computer users that a vulnerability announced today in the Microsoft Exchange calendar feature could lead to a worm. ISS is providing customers with ahead-of-the-threat protection for this issue through its proprietary Virtual Patchâ„? technology.

“The widespread adoption of Microsoft Exchange and its built-in calendar functionality within the enterprise, combined with the unauthenticated remote access nature of the mail service, means that attackers will race to develop exploit material for this vulnerability,” said Gunter Ollmann, director of ISS’ X-Force® research and development team. “What is most concerning is that exploitation of this vulnerability does not require any user interaction whatsoever.”



As part of its monthly security updates, Microsoft today issued an advisory for a vulnerability in the way Microsoft Exchange Server handles malformed calendar attachments. Exchange Server is unable to properly recover from an invalid property being sent as part of the calendar attachment and may subsequently overwrite data. The vulnerability could allow an unauthenticated attacker to send a specially crafted e-mail message to a Microsoft Exchange Server and cause a denial of service condition or potentially execute arbitrary code. In order to compromise a machine and propagate itself, a malformed attachment would not have to be read by the message recipient.



“In order to take advantage of this vulnerability, a maliciously-crafted e-mail would simply have to reach an organisation’s Exchange Server,” continued Ollmann. “This makes conditions ripe for the creation of a mail-centric worm.”



Successful exploitation of this vulnerability could be used to obtain unauthorised access to networks and machines, leading to exposure of confidential information, loss of productivity and further network compromise.