Microsoft Patches Critical Exchange, Flash Holes
Page 1 of 1
Microsoft released three patches -- two deemed critical -- covering vulnerabilities in Microsoft Exchange, Flash and Windows.
Topping the list of security bulletins released as part of the software giant's monthly "patch Tuesday" was a vulnerability in Microsoft Exchange Server.
The MS06-019 patch focuses on what Amol Sarwate, vulnerability manager for managed security firm Qualys, called an "old-school vulnerability," able to skim e-mail addresses and propagate a worm.
The vulnerability could give attackers complete control of systems using Microsoft Exchange Server 2000 with the Exchange 2000 Post-Service Pack 3 Update Rollup and Microsoft Exchange Server 2003 with Service Pack 1 and 2.
The Exchange Server vulnerability marks a shift from attacking client applications, such as IE or Outlook, that require interaction by users to flaws based in servers.
Targeting Exchange is especially worrisome because it is always up, always online and capable of spreading an attack.
The Exchange Server security breach centers on vCal or iCal calendar properties.
The patch was a surprise, said Sarwate. The security community expected Microsoft to release a patch correcting a flaw in how mobile e-mail devices, such as the BlackBerry, communicate with Microsoft's e-mail server.
The second critical patch (MS06-20) involves vulnerabilities in Adobe's Macromedia Flash Player.
The vulnerabilities could allow attackers to take complete control of a system where a user is logged in as administrator. If successful, the exploits could delete files or change data.
Because of the way the player handles Flash animation files (SWF), attackers could create a specially crafted SWF file and either post it on a Web site or include it as an e-mail.
Affected systems include Windows XP Service Pack 1, Windows XP Service Pack 2, Windows 98 Gold, Windows 98 SP1, Windows 98 SE Gold and Windows Me Gold.
Microsoft also released MS06-018, a "moderate" patch targeting possible denial-of-service (DOS) attacks stemming from a vulnerability in the Microsoft Distributed Transaction Coordinator (MDTC).
Any DOS assault based on the flaw could stop the MDTC from ensuring databases are successfully launched or closed. Although the attack wouldn't allow attackers to execute malicious code, the vulnerability could stop Windows from accepting requests, according to Microsoft.