TITLE:
Microsoft Exchange Server Calendar Vulnerability
SECUNIA ADVISORY ID:
SA20029
VERIFY ADVISORY:
http://secunia.com/advisories/20029/
CRITICAL:
Highly critical
IMPACT:
System access
WHERE:
From remote
SOFTWARE:
Microsoft Exchange Server 2000
http://secunia.com/product/41/
Microsoft Exchange Server 2003
http://secunia.com/product/1828/
DESCRIPTION:
A vulnerability has been reported in Microsoft Exchange Server, which
can be exploited by malicious people to compromise a vulnerable
system.
The vulnerability is caused due to an error within the EXCDO
(Exchange Collaboration Data Objects) and CDOEX (Collaboration Data
Objects for Exchange) functionality when processing iCal and vCal
properties in email messages. This can be exploited by sending a
specially crafted email message with certain vCal or iCal properties
to a vulnerable server.
Successful exploitation allows execution of arbitrary code.
SOLUTION:
Apply patches.
Microsoft Exchange Server 2000 with Post-Service Pack 3 Update Rollup
of August 2004:
http://www.microsoft.com/downloads/d...1-E2E37EADB8EC
Microsoft Exchange Server 2003 SP1:
http://www.microsoft.com/downloads/d...0-524CB49AFE53
Microsoft Exchange Server 2003 SP2:
http://www.microsoft.com/downloads/d...1-DC1AF6944A0F
PROVIDED AND/OR DISCOVERED BY:
Reported by the vendor.
ORIGINAL ADVISORY:
MS06-019 (KB916803):
http://www.microsoft.com/technet/sec.../MS06-019.mspx
OTHER REFERENCES:
Known issues when installing the patch:
http://support.microsoft.com/kb/916803
----------------------------------------------------------------------
Rispondi quotando
