TITLE: Microsoft Exchange Server Calendar Vulnerability SECUNIA ADVISORY ID: SA20029 VERIFY ADVISORY: http://secunia.com/advisories/20029/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Microsoft Exchange Server 2000 http://secunia.com/product/41/ Microsoft Exchange Server 2003 http://secunia.com/product/1828/ DESCRIPTION: A vulnerability has been reported in Microsoft Exchange Server, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error within the EXCDO (Exchange Collaboration Data Objects) and CDOEX (Collaboration Data Objects for Exchange) functionality when processing iCal and vCal properties in email messages. This can be exploited by sending a specially crafted email message with certain vCal or iCal properties to a vulnerable server. Successful exploitation allows execution of arbitrary code. SOLUTION: Apply patches. Microsoft Exchange Server 2000 with Post-Service Pack 3 Update Rollup of August 2004: http://www.microsoft.com/downloads/details.aspx?FamilyId=E72C8F94-782F-4670-9221-E2E37EADB8EC Microsoft Exchange Server 2003 SP1: http://www.microsoft.com/downloads/details.aspx?FamilyId=F32574E0-F35C-4537-9AD0-524CB49AFE53 Microsoft Exchange Server 2003 SP2: http://www.microsoft.com/downloads/details.aspx?FamilyId=82AE4397-0982-4585-84C1-DC1AF6944A0F PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: MS06-019 (KB916803): http://www.microsoft.com/technet/security/Bulletin/MS06-019.mspx OTHER REFERENCES: Known issues when installing the patch: http://support.microsoft.com/kb/916803 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------