Related information

Microsoft Exchange Calendar code execution

Microsoft Security Bulletin MS06-019 Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)

From:	CERT <cert_(at)_cert.gov>
Date:	10.05.2006
Subject:	US-CERT Technical Cyber Security Alert TA06-129A -- Microsoft Windows and Exchange Server Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                       National Cyber Alert System

               Technical Cyber Security Alert TA06-129A


Microsoft Windows and Exchange Server Vulnerabilities

  Original release date: May 9, 2006
  Last revised: --
  Source: US-CERT


Systems Affected

    * Microsoft Windows
    * Microsoft Exchange Server

  For more complete information, refer to the Microsoft Security
  Bulletin Summary for May 2006.


Overview

  Microsoft has released updates that address critical vulnerabilities
  in Microsoft Windows and Exchange Server. Exploitation of these
  vulnerabilities could allow a remote, unauthenticated attacker to
  execute arbitrary code or cause a denial of service on a vulnerable
  system.


I. Description

  Microsoft Security Bulletin Summary for May 2006 addresses
  vulnerabilities in Microsoft Windows and Exchange Server. Further
  information is available in the following US-CERT Vulnerability Notes:


  VU#303452 - Microsoft Exchange fails to properly handle vCal and iCal
  properties

  Microsoft Exchange Server does not properly handle the vCal and iCal
  properties of email messages. Exploitation of this vulnerability may
  allow a remote, unauthenticated attacker to execute arbitrary code on
  an Exchange Server.
  (CVE-2006-0027)


  VU#945060 - Adobe Flash products contain multiple vulnerabilities

  Several vulnerabilities in Adobe Macromedia Flash products may allow a
  remote attacker to execute code on a vulnerable system.
  (CVE-2006-0024)


  VU#146284 - Macromedia Flash Player fails to properly validate the
  frame type identifier read from a "SWF" file

  A buffer overflow vulnerability in some versions of the Macromedia
  Flash Player may allow a remote attacker to execute code on a
  vulnerable system.
  (CVE-2005-2628)


II. Impact

  A remote, unauthenticated attacker could execute arbitrary code on a
  vulnerable system. An attacker may also be able to cause a denial of
  service.


III. Solution

Apply Updates

  Microsoft has provided updates for these vulnerabilities in the
  Security Bulletins. Microsoft Windows updates are available on the
  Microsoft Update site.

Workarounds

  Please see the US-CERT Vulnerability Notes for workarounds.


Appendix A. References

    * Microsoft Security Bulletin Summary for May 2006 -
      <http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx>

    * Technical Cyber Security Alert TA06-075A -
      <http://www.us-cert.gov/cas/techalerts/TA06-075A.html>

    * US-CERT Vulnerability Note VU#303452 -
      <http://www.kb.cert.org/vuls/id/303452>

    * US-CERT Vulnerability Note VU#945060 -
      <http://www.kb.cert.org/vuls/id/945060>

    * US-CERT Vulnerability Note VU#146284 -
      <http://www.kb.cert.org/vuls/id/146284>

    * CVE-2006-0027 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0027>

    * CVE-2006-0024 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024>

    * CVE-2005-2628 -
      <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2628>

    * Microsoft Update - <https://update.microsoft.com/microsoftupdate>


____________________________________________________________________

  The most recent version of this document can be found at:

    <http://www.us-cert.gov/cas/techalerts/TA06-129A.html>
____________________________________________________________________

  Feedback can be directed to US-CERT Technical Staff. Please send
  email to <cert@cert.org> with "TA06-129A Feedback VU#303452" in the
  subject.
____________________________________________________________________

  For instructions on subscribing to or unsubscribing from this
  mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

  Produced 2006 by US-CERT, a government organization.

  Terms of use:

    <http://www.us-cert.gov/legal.html>
____________________________________________________________________


Revision History

  May 9, 2006: Initial release


   
   

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRGDvB30pj593lg50AQJkAQf9FqFX8S29GmV1pKfRCfkEY9ooi/ygyeyu
l+z2OpoJsu4BHhYbXahssZLutNh0UtpC2Qv17sgHP2xg2sIokqgqkdMH1WQn4kAw
x6RWPlI7hraIg/tY1lSZayZris4XMuDzNiqfpa/gN7oOSOtnIZ6Ky5+h5nIk+xxk
Q50BdlEHmw5e62LyW7qnBAoHuHzEQq/xS52DtTat+aigRYePq3SX2f8S4BpZyKzq
kQKN7kn2keseziuKCMEMNIH0bUunUr6M2kRsBPIBUrAi03Fmgx2Qfy7yMHRV/0Gg
A2jjB48O4m+fuHHQSVSP2gCtSbe9ChiWJ8Db1nY1pnsQ42fZvqQekg==
=nxe/
-----END PGP SIGNATURE-----