Notices
NSC-060509: Windows and Exchange Server Vulnerabilities
National Cyber Alert System
Technical Cyber Security Alert TA06-129A
Microsoft Windows and Exchange Server Vulnerabilities
Original release date: May 9, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Microsoft Windows
* Microsoft Exchange Server
For more complete information, refer to the Microsoft Security
Bulletin Summary for May 2006.
Overview
Microsoft has released updates that address critical vulnerabilitiesin Microsoft Windows and Exchange Server. Exploitation of thesevulnerabilities could allow a remote, unauthenticated attacker toexecute arbitrary code or cause a denial of service on a vulnerablesystem.
I. Description
Microsoft Security Bulletin Summary for May 2006 addressesvulnerabilities in Microsoft Windows and Exchange Server. Furtherinformation is available in the following US-CERT Vulnerability Notes:
VU#303452 - Microsoft Exchange fails to properly handle vCal and iCal
properties
Microsoft Exchange Server does not properly handle the vCal and iCalproperties of email messages. Exploitation of this vulnerability mayallow a remote, unauthenticated attacker to execute arbitrary code onan Exchange Server.
(CVE-2006-0027)
VU#945060 - Adobe Flash products contain multiple vulnerabilities Several vulnerabilities in Adobe Macromedia Flash products may allow aremote attacker to execute code on a vulnerable system.
(CVE-2006-0024)
VU#146284 - Macromedia Flash Player fails to properly validate theframe type identifier read from a "SWF" file A buffer overflow vulnerability in some versions of the MacromediaFlash Player may allow a remote attacker to execute code on avulnerable system.
(CVE-2005-2628)
II. Impact
A remote, unauthenticated attacker could execute arbitrary code on avulnerable system. An attacker may also be able to cause a denial ofservice.
III. Solution
Apply Updates
Microsoft has provided updates for these vulnerabilities in the
Security Bulletins. Microsoft Windows updates are available on the
Microsoft Update site.
Workarounds
Please see the US-CERT Vulnerability Notes for workarounds.
Appendix A. References
* Microsoft Security Bulletin Summary for May 2006 -
<http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx>
* Technical Cyber Security Alert TA06-075A -
<http://www.us-cert.gov/cas/techalerts/TA06-075A.html>
* US-CERT Vulnerability Note VU#303452 -
<http://www.kb.cert.org/vuls/id/303452>
* US-CERT Vulnerability Note VU#945060 -
<http://www.kb.cert.org/vuls/id/945060>
* US-CERT Vulnerability Note VU#146284 -
<http://www.kb.cert.org/vuls/id/146284>
* CVE-2006-0027 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0027>
* CVE-2006-0024 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024>
* CVE-2005-2628 -
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2628>
* Microsoft Update - <https://update.microsoft.com/microsoftupdate>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-129A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please sendemail to <cert@cert.org> with "TA06-129A Feedback VU#303452" in thesubject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
May 9, 2006: Initial release