I was reading the Microsoft Security Announcement e-mail that arrived in my inbox yesterday (yeah, I know, I should have read it yesterday). (Online copy here)

One thing that made me smile:

Microsoft Security Bulletin MS06-003: Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution (902412)

 

You'll have probably heard of the 'glitch' with the Graphics Rendering Engine, but this one caught be off guard. What could be left in the TNEF engine that is insecure? After all, this thing has had hundreds of subtle tweaks over the years - after all, its been in Windows 95 onwards (at least, from what I know!). It's built into Outlook, Outlook Express, etc.

 

Anyway, what makes me smile is the simple issue this raises. Should we trust encoded data types - such as HTML (with embedded J/Script), TNEF, RichText etc? Or should we just go back to plain text?