Microsoft released three patches — two deemed critical — covering
vulnerabilities in Microsoft Exchange, Flash and Windows.
Topping the list of security bulletins released as part of the
software giant’s monthly “patch Tuesday” was a vulnerability in
Microsoft Exchange Server.
The MS06-019 patch focuses on what Amol Sarwate, vulnerability manager for managed security firm Qualys, called an “old-school vulnerability,” able to skim e-mail addresses and propagate a worm.
The vulnerability could give attackers complete control of systems using Microsoft Exchange Server 2000 with
the Exchange 2000 Post-Service Pack 3 Update Rollup and
Microsoft Exchange Server 2003 with Service Pack 1 and 2.
The Exchange Server vulnerability marks a shift from attacking
client applications, such as IE or Outlook, that require interaction
by users to flaws based in servers.
Targeting Exchange is especially
worrisome because it is always up, always online and capable of
spreading an attack.
The Exchange Server security breach centers on vCal or iCal
calendar properties.
The patch was a surprise, said Sarwate. The security community expected Microsoft to release a patch correcting a flaw in how mobile
e-mail devices, such as the BlackBerry, communicate with
Microsoft’s e-mail server.
The second critical patch (MS06-20) involves
vulnerabilities in Adobe’s Macromedia Flash Player.
The
vulnerabilities could allow attackers to take complete control of a
system where a user is logged in as administrator. If successful, the
exploits could delete files or change data.
Because of the way the player handles Flash animation files (SWF),
attackers could create a specially crafted SWF file and either post
it on a Web site or include it as an e-mail.
Affected systems include Windows XP Service Pack 1, Windows XP
Service Pack 2, Windows 98 Gold, Windows 98 SP1, Windows 98 SE Gold and
Windows Me Gold.
Microsoft also released MS06-018, a “moderate” patch targeting possible denial-of-service (DOS) attacks stemming from a vulnerability in the Microsoft Distributed Transaction
Coordinator (MDTC).
Any DOS assault based on the flaw could stop the
MDTC from ensuring databases are successfully launched or closed.
Although the attack wouldn’t allow attackers to execute malicious
code, the vulnerability could stop Windows from accepting requests,
according to Microsoft.