MS06-003: TNEF vuln in Exchange 2000 and Exchange 5.5

It’s Patch Tuesday, so you know what that means. This month, there’s actually an Exchange patch, although it only applies to Exchange 2000, Exchange 5.5, and Exchange 5.0 on the server side (Outlook 2000, Outlook XP, and Outlook 2003 are all affected too, though). The vuln reported in MS06-003 is a problem in the TNEF decoding engine that can allow remote code execution. Interestingly, MS released security patches for Exchange 5.5 even though it just went end-of-life 10 days ago… and what’s up with that crazy Exchange 5.0 patch? That’s been out of support for quite a while, and I’d bet the percentage of sites using it is very, very small.