Microsoft has released three security bulletins for May. Of
the three, Redmond has rated two as critical and one as low to moderate,
depending on the affected version.
This month’s Patch
Tuesday was relatively quiet, with the release of two critical security
bulletins and one low-level threat that doesn’t present much risk. Let’s take a
Security Bulletin MS06-019, “Vulnerability in Microsoft Exchange Could
Allow Remote Code Execution,” addresses a single Exchange Calendar vulnerability
The vulnerability is due to the failure of Collaboration Data Objects for
Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO) to properly
process Virtual Calendar (vCal) and Internet Calendar MIME content in e-mails.
This bulletin replaces MS05-048
Server 2000 only.
Server 2003 Service Pack 1
Server 2003 SP2
Because it’s a remote code execution threat, Microsoft has rated this bulletin
There are no known mitigating factors for this vulnerability.
Install the update. As a workaround, you can require authentication for all
connections to the server. In addition, you can block iCal/vCal on Exchange Server
to increase protection against an attack via SMTP e-mail.
Security Bulletin MS06-020, “Vulnerabilities in Macromedia Flash
Player from Adobe Could Allow Remote Code Execution,” addresses two
problems with Flash, both related to the way the Adobe software processes SWF
flash animation files: CVE-2006-0024
This bulletin does not affect Windows 2000, Windows Server
2003, or Windows Server 2003 SP1.
Microsoft has rated this bulletin as critical.
MS06-020 only applies to those using
Macromedia Flash Player version 6 or earlier that haven’t already applied the
fix provided in Adobe
Security Bulletin APSB06-03.
Install the update. As a workaround, you can block the Flash Player ActiveX
control from running. Read the entire security bulletin for more information.
Security Bulletin MS06-018, “Vulnerability in Microsoft Distributed
Transaction Coordinator Could Allow Denial of Service,” addresses a DoS
threat caused by a MSDTC Invalid Memory Access Vulnerability (CVE-2006-0034)
and/or a MSDTC Denial of Service Vulnerability (CVE-2006-1184).
This bulletin replaces MS05-051
for Windows 2000
This bulletin does not apply to Windows Server 2003 SP1.
This is a low-level threat for all affected versions except Windows 2000; it is a moderate threat for Windows 2000.
Read the security bulletin to learn about any mitigating factors.
Install the update. As a workaround, you can block this minor threat by
disabling the Distributed Transaction Coordinator. However, if there’s a
successful attack, the DTC may be the only disabled component anyway.
While Microsoft has provided a patch for MS06-020, keep in
mind that this is not a Microsoft
vulnerability. The vulnerability stems from Adobe’s code and is unrelated to
any errors in Microsoft code.
Miss a column?
Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.
Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.