Patch/Configuration Management, Vulnerability Management

Exchange flaw, two others, fixed on Microsoft Patch Tuesday

Microsoft released three fixes - two of which prevent remote code execution - as part of its monthly Patch Tuesday release today.

As expected, one of the critical patches was for Microsoft Exchange and fixes a vulnerability in the Exchange Calendar that a hacker could exploit by constructing a specially crafted message to allow remote code execution if the program's server processes an email with vCal or iCal properties.

The other critical patch fixes a hole in the Macromedia Flash Player from Adobe that could also allow for a malicious user to execute code onto an affected PC.

The third patch is for a moderate flaw in Microsoft Distributed Transaction Coordinator that could allow a DoS attack.

"A (DoS) vulnerability exists that could allow an attacker to send a specially crafted network message to an affected system," according to the Microsoft security advisory. "An attacker could cause the Microsoft Distributed Transaction Coordinator (MSDTC) to stop responding."

Microsoft thanked eEye Digital Security, Xiao Chen of McAfee and Kai Zhang of VenusTech for reporting issues described in the MSDTC flaw.

Microsoft told PC users last week to expect three patches today, two for Windows and the third for Exchange.

The SANS Institute warned today that the Exchange patch would break some functionality required by Research in Motion's enterprise server.

Russ Cooper, senior information security analyst at Cybertrust, said he wasn't surprised by the release of any of the fixes, but called the Exchange patch, MS06-019, "a hot patch."

"It's very disturbing that my Exchange server can just be sitting there and someone can execute code onto it," he said.

The lack of a truly shocking flaw notification is a positive sign, added Cooper.

"Microsoft patches according to priority, so if these are the foremost patches that need to be released this month, that's a good sign," he said.

Microsoft released five patches in April, including a cumulative patch for Internet Explorer. Some security experts had urged Redmond to release an early patch for the creatTextRange() vulnerability, which had gained widespread notoriety in the weeks leading up to Patch Tuesday.

Microsoft re-released one of the fixes later in April due to interference with Hewlett-Packard and other third-party products.

Jonathan Bitle, senior product manager for Qualys, said the Exchange flaw shows hackers are still capable of running code onto PCs without the user visiting a malicious site.

"This takes advantage of enterprises because it's effective with little or not user interaction," he said

Redmond released two patches in March, one fixing numerous vulnerabilities in Microsoft Office.

Alain Sergile, technical product manager of Internet Security Systems' X-Force, said the commonality of Exchange in business environments makes the flaw more of a priority.

"Microsoft has dubbed it critical, and we agree with that, because of Exchange's prominence in corporate America," he said, adding that a malicious user only has to access an Exchange server – not an inbox – to affect a corporate system.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.