Secunia Security Advisory - A vulnerability has been reported in Microsoft Exchange Server, which can be exploited by malicious people to compromise a vulnerable system.
56b741e6bacc836bb635ae59335bff4dde73c3a66e2fa7654a4ad84ab848a149
TITLE:
Microsoft Exchange Server Calendar Vulnerability
SECUNIA ADVISORY ID:
SA20029
VERIFY ADVISORY:
http://secunia.com/advisories/20029/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
>From remote
SOFTWARE:
Microsoft Exchange Server 2000
http://secunia.com/product/41/
Microsoft Exchange Server 2003
http://secunia.com/product/1828/
DESCRIPTION:
A vulnerability has been reported in Microsoft Exchange Server, which
can be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to an error within the EXCDO
(Exchange Collaboration Data Objects) and CDOEX (Collaboration Data
Objects for Exchange) functionality when processing iCal and vCal
properties in email messages. This can be exploited by sending a
specially crafted email message with certain vCal or iCal properties
to a vulnerable server.
Successful exploitation allows execution of arbitrary code.
SOLUTION:
Apply patches.
Microsoft Exchange Server 2000 with Post-Service Pack 3 Update Rollup
of August 2004:
http://www.microsoft.com/downloads/details.aspx?FamilyId=E72C8F94-782F-4670-9221-E2E37EADB8EC
Microsoft Exchange Server 2003 SP1:
http://www.microsoft.com/downloads/details.aspx?FamilyId=F32574E0-F35C-4537-9AD0-524CB49AFE53
Microsoft Exchange Server 2003 SP2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=82AE4397-0982-4585-84C1-DC1AF6944A0F
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
MS06-019 (KB916803):
http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx
OTHER REFERENCES:
Known issues when installing the patch:
http://support.microsoft.com/kb/916803
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------