CVE-2006-0002

Name of the Vulnerable Software and Affected Versions: Microsoft Outlook versions 2000 through 2003 Microsoft Exchange 5.0 Server version SP2 Microsoft Exchange 5.0 Server version SP4 Microsoft Exchange 2000 version SP3 Microsoft Office (affected versions not specified)

Description: The issue is related to a remote code execution vulnerability due to improper decoding of Transport Neutral Encapsulation Format (TNEF) MIME attachments in e-mail messages. This allows remote attackers to execute arbitrary code via a crafted attachment. The vulnerability is also related to message length validation.

Recommendations: For Microsoft Outlook versions 2000 through 2003, consider disabling the handling of TNEF MIME attachments until a fix is available. For Microsoft Exchange 5.0 Server versions SP2 and SP4, restrict access to TNEF encoded messages to minimize the risk of exploitation. For Microsoft Exchange 2000 version SP3, avoid processing e-mail messages with crafted TNEF attachments until the issue is resolved. For Microsoft Office, at the moment, there is no information about a newer version that contains a fix for this vulnerability.