TITLE:
Microsoft Exchange Server Calendar Vulnerability

SECUNIA ADVISORY ID:
SA20029

VERIFY ADVISORY:
http://secunia.com/advisories/20029/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Microsoft Exchange Server 2000
http://secunia.com/product/41/
Microsoft Exchange Server 2003
http://secunia.com/product/1828/

DESCRIPTION:
A vulnerability has been reported in Microsoft Exchange Server, which
can be exploited by malicious people to compromise a vulnerable
system.

The vulnerability is caused due to an error within the EXCDO
(Exchange Collaboration Data Objects) and CDOEX (Collaboration Data
Objects for Exchange) functionality when processing iCal and vCal
properties in email messages. This can be exploited by sending a
specially crafted email message with certain vCal or iCal properties
to a vulnerable server.

Successful exploitation allows execution of arbitrary code.

SOLUTION:
Apply patches.

Microsoft Exchange Server 2000 with Post-Service Pack 3 Update Rollup
of August 2004:
http://www.microsoft.com/downloads/d...1-E2E37EADB8EC

Microsoft Exchange Server 2003 SP1:
http://www.microsoft.com/downloads/d...0-524CB49AFE53

Microsoft Exchange Server 2003 SP2:
http://www.microsoft.com/downloads/d...1-DC1AF6944A0F

PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.

ORIGINAL ADVISORY:
MS06-019 (KB916803):
http://www.microsoft.com/technet/sec.../MS06-019.mspx

OTHER REFERENCES:
Known issues when installing the patch:
http://support.microsoft.com/kb/916803

----------------------------------------------------------------------