Microsoft releases May’s bulletins
Microsoft has released its security bulletins for May with critical patches for Windows and Exchange as well as a further Moderate rated patch for Windows.
The Exchange patch covers Exchange Server 2000 with Post-SP3, up to Exchange Server 2003 with SP2. A vulnerability in the Exchange Calendar could allow an attacker to create a message with certain vCal or iCal properties that would allow remote code execution.
The critical patch for Windows centres on a vulnerable version of Adobe’s Macromedia Flash player that is shipped with Windows XP SP1 and SP2 as well as earlier versions of Windows where Internet Explorer 6 with SP1 is installed. Versions of Windows Server 2003 as well as Windows 2000 SP4 and Windows XP Pro 64bit are not affected unless a vulnerable version of the player software has been subsequently installed.
Adobe has highlighted the issue and already offers guidance on its website.
The two vulnerabilities fixed by the patch could allow remote code execution if an attacker constructed a malicious Flash movie and persuaded the target to visit a website hosting that movie.
The third Moderate patch addresses a pair of denial of service vulnerabilities in Windows 2000 SP4, Windows XP SP1 and SP2, and Windows Server 2003 including the Itanium version. Windows 98 to ME are not affected, nor are versions of Windows Server 2003 with SP1, or 64bit editions.
An attacker could send specially crafted network messages that would cause the Microsoft Distributed Transaction Coordinator (MSDTC) to stop responding, thus causing a denial of service. However, an attacker would not be able to execute code or escalate privilege rights.
For more information, and to download the updates manually, visit the Microsoft security site.