# warning



## Terry Seyforth (Dec 7, 2004)

Hi I have posted this in hijack this as well, Im not sure where to ask for help ?
I have just encountered a problem running Panda Scan, I assumed I had something blocking it ?
So I used Trend Micro and the report warned me of this and to take steps, Im not sure whether they are a threat or not. Do I need to take steps ?

Maybe you may know. 

Thanks for you advice .
MS06-003) Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)







Vulnerability Identifier: CVE-2006-0002 
Discovery Date: Jan 10, 2006 
Risk: Critical 
Vulnerability Assessment Pattern File: 038 
Affected Software: 
•	Microsoft Exchange 2000 Server Service Pack 3 
•	Microsoft Exchange Server 5.0 Service Pack 2 
•	Microsoft Exchange Server 5.5 Service Pack 4 
•	Microsoft Office 2000 
•	Microsoft Office 2000 Service Pack 3 
•	Microsoft Office 2003 
•	Microsoft Office 2003 Service Pack 1 
•	Microsoft Office XP 
•	Microsoft Office XP Service Pack 3 
•	Microsoft Outlook 2000 
•	Microsoft Outlook 2002 
Description:
This update resolves a newly-discovered, privately-reported vulnerability that can allow a remote malicious user to run arbitrary codes on an affected system.
A vulnerability that exists in Microsoft Outlook and Microsoft Exchange Server allows remote code execution because of the way they decode the Transport Neutral Encapsulation Format (TNEF) in the MIME attachment. 
On affected software, the said remote user who successfully exploits this vulnerability can take full control of the system if an unsuspecting user is logged on with administrative user rights. However the said vulnerability has less impact on users whose accounts are configured to have fewer user rights on the affected system. 
TNEF Decoding Vulnerability
Microsoft Exchange servers and Outlook e-mail clients use TNEF forma when sending messages that are in Rich Text Format (RTF). When Microsoft Exchange thinks that another Microsoft e-mail client is receiving its message, it extracts all the formatting information and encodes it in a TNEF block. The message is then sent in two parts â€“ the text message with all the formatting removed and the formatting instructions itself in a TNEF block. The message and TNEF block are then processed and re-formatted by a Microsoft e-mail client. Thus, a specially crafted TNEF message can allow remote code execution when the affected user previews or opens a malicious e-mail message or when the specially-crafted message is processed by the Microsoft Exchange Server Information Store.
Upon successful exploitation of this vulnerability, the remote malicious user could take complete control of the affected system. The said remote user can then install programs; view, change, or delete files; or create new accounts with full user rights. 

Patch Information:
The patch for this vulnerability is available at the following Microsoft Web page:
Microsoft Security Bulletin MS06-003


Workaround Fixes:
Block MS-TNEF on Microsoft Exchange Server to help protect against attempts to exploit this vulnerability through SMTP e-mail.
Systems can be configured to block certain types of files from being received as e-mail attachments. Microsoft TNEF-encoded e-mail messages, commonly known as rich text format (RTF) e-mail messages, can contain malicious OLE objects. These e-mail messages contain a file attachment that stores the TNEF information. This file attachment is usually named Winmail.dat. Blocking this file, and blocking the ms-tnef MIME type, could help protect Exchange servers and other affected programs from attempts to exploit this vulnerability if customers cannot install the available security update. To help protect an Exchange Server computer from attacks through SMTP, block the Winmail.dat file and all application/ms-tnef MIME type content before it reaches the Exchange Server computer. 
Take note of the following points:
•	You cannot mitigate this vulnerability by setting the Exchange rich-text format option in Exchange Server to Never used or by disabling TNEF processing by editing the registry. 
•	Exchange supports other messaging protocols, such as X.400, that these workarounds do not protect. Microsoft recommends that administrators require authentication on all other client and message transport protocols to help prevent attacks using these protocols. 
•	Filtering only for attachments that have the file name Winmail.dat may not be sufficient to help protect your system. A malicious file attachment could be given another file name that could then be processed by the Exchange Server computer. To help protect against malicious e-mail message’s, block all application/ms-tnef MIME type content. 
The following suggestions are ways to block the WINMAIL.DAT file and other TNEF content:
•	You can use ISA Server 2000 SMTP Message Screener to block all file attachments or to block only the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2000 because ISA Server 2000 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 315132. 
•	You can use ISA Server 2000 SMTP Filter to block all file attachments or to block only the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2000 because ISA Server 2000 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 320703. 
•	You can use ISA Server 2004 SMTP Filter and Message Screener block all file attachments or just the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2004 because ISA Server 2004 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 888709. 
•	You can use third-party e-mail filters to block all application/ms-tnef MIME type content before it is sent to the Exchange Server computer or to a vulnerable application.

And also this :

MS05-004) ASP.NET Path Validation Vulnerability (887219)







Vulnerability Identifier: CAN-2004-0847 
Discovery Date: Feb 8, 2005 
Risk: Important 
Vulnerability Assessment Pattern File: 023 
Affected Software: 
•	Microsoft .NET Framework 1.0 
•	Microsoft .NET Framework 1.1 
Description:
A canonicalization vulnerability exists in ASP.NET, which could allow a malicious user to access secure and protected files. The security mechanisms of an ASP.NET Web site can be bypassed to allow the malicious user unauthorized access.

Patch Information:

http://www.microsoft.com/technet/security/bulletin/MS05-004.mspx


Workaround Fixes:
•	Apply the mitigation code module discussed in Microsoft Knowledge Base Article 887289. The mitigation code module provides protection on a server-basis. 
•	Make the following changes in the GLOBAL.ASAX file in the application root directory for each application on an affected system as an alternative to installing the module on a per-application basis: 
<script runat=server language=cs>
void Application_BeginRequest(object src, EventArgs e)
{ if (Request.Path.IndexOf('\\') >= 0 || System.IO.Path.GetFullPath(Request.PhysicalPath) != Request.PhysicalPath) { throw new HttpException(404, "not found"); }}
</script> 
•	Install and use URLScan to help protect systems against a large number of issues stemming from improperly formed URL requests, including the publicly described issues addressed by this bulletin. Note however that URLScan does not protect your system as comprehensively as either the mitigation code module or the GLOBAL.ASAX script.


----------

