May 2006 Security Updates

Three patches, two critical and one moderate, were released on the May 2006 “Patch Tuesday.” The first critical patch fixes a problem that could allow an attacker to take full control of an Exchange server through the way Exchange processes calendar data. However, applying the security bug fix also applies a change to Exchange functionality that could stop some applications from working. The other critical patch fixes problems in the Adobe Flash Player, and because Microsoft distributed the Flash Player, it will also distribute Adobe’s patch.

Two Critical Patches

The critical patch for Exchange Server fixes a remote code execution vulnerability that could allow an attacker to take complete control of an affected Exchange Server. The vulnerability exists in the Collaboration Data Objects for Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO), which provide programmatic interfaces for Exchange Server to process certain messages on behalf of other applications and services. To exploit the vulnerability, an attacker would have to send a message with specially crafted Virtual Calendar (vCAL) or Internet Calendar (iCAL) properties to an unpatched Exchange Server. vCal and iCAL are MIME content types used by Exchange and e-mail clients when sending information related to calendars and scheduling.