As mentioned yesterday, Microsoft changed their lifecycle support policy to get in one last security fix for Exchange 5.0 and Exchange 5.5. It’s just as well, because Microsoft’s Newest Bug Could Be Awful, Researcher Says:
“What I find bizarre is that there’s still all this focus on the WMF [Windows Metafile] bug,” said Mark Litchfield, the director of NGS Software, a U.K.-based security company, and one of the two researchers credited by Microsoft with the discovery of the TNEF (Transport Neutral Encapsulation Format) vulnerability.
“You could take over an Exchange server with a single, simple e-mail,” he said. “From there you could target all the clients accessing that server. You would ‘own’ any Outlook client that connects to that server. Then an attacker could grab the Outlook users’ address books.
“If you did it right, you could own every Outlook user in the world within a week,” he said.
Actually, while earlier versions have the flaw, Exchange Server 2003 is immune, but you get the idea. All recent Outlook versions need to be patched as well. While there are no exploits in the wild yet, they are expected shortly as the Microsoft patch is reverse engineered.