Microsoft has released three security bulletins for May. Of
the three, Redmond has rated two as critical and one as low to moderate,
depending on the affected version.

Details

This month’s Patch
Tuesday was relatively quiet, with the release of two critical security
bulletins and one low-level threat that doesn’t present much risk. Let’s take a
closer look.

MS06-019

Microsoft
Security Bulletin MS06-019, “Vulnerability in Microsoft Exchange Could
Allow Remote Code Execution,” addresses a single Exchange Calendar vulnerability
(CVE-2006-0027).
The vulnerability is due to the failure of Collaboration Data Objects for
Exchange (CDOEX) and Exchange Collaboration Data Objects (EXCDO) to properly
process Virtual Calendar (vCal) and Internet Calendar MIME content in e-mails.
This bulletin replaces MS05-048
for Exchange
Server 2000 only.

Applicability

  • Exchange
    Server 2000
  • Exchange
    Server 2003 Service Pack 1
  • Exchange
    Server 2003 SP2

Risk level
Because it’s a remote code execution threat, Microsoft has rated this bulletin
as critical.

Mitigating factors
There are no known mitigating factors for this vulnerability.

Fix
Install the update. As a workaround, you can require authentication for all
connections to the server. In addition, you can block iCal/vCal on Exchange Server
to increase protection against an attack via SMTP e-mail.

MS06-020

Microsoft
Security Bulletin MS06-020, “Vulnerabilities in Macromedia Flash
Player from Adobe Could Allow Remote Code Execution,” addresses two
problems with Flash, both related to the way the Adobe software processes SWF
flash animation files: CVE-2006-0024
and CVE-2005-2628.

Applicability

  • Windows
    XP SP1
  • Windows
    XP SP2
  • Windows
    98
  • Windows
    ME
  • Windows
    SE

This bulletin does not affect Windows 2000, Windows Server
2003, or Windows Server 2003 SP1.

Risk level
Microsoft has rated this bulletin as critical.

Mitigating factors
MS06-020 only applies to those using
Macromedia Flash Player version 6 or earlier that haven’t already applied the
fix provided in Adobe
Security Bulletin APSB06-03.

Fix
Install the update. As a workaround, you can block the Flash Player ActiveX
control from running. Read the entire security bulletin for more information.

MS06-018

Microsoft
Security Bulletin MS06-018, “Vulnerability in Microsoft Distributed
Transaction Coordinator Could Allow Denial of Service,” addresses a DoS
threat caused by a MSDTC Invalid Memory Access Vulnerability (CVE-2006-0034)
and/or a MSDTC Denial of Service Vulnerability (CVE-2006-1184).
This bulletin replaces MS05-051
for Windows 2000
only.

Applicability

  • Windows
    2000 SP4
  • Windows
    XP SP1
  • Windows
    XP SP2
  • Windows
    Server 2003

This bulletin does not apply to Windows Server 2003 SP1.

Risk level
This is a low-level threat for all affected versions except Windows 2000; it is a moderate threat for Windows 2000.

Mitigating factors
Read the security bulletin to learn about any mitigating factors.

Fix
Install the update. As a workaround, you can block this minor threat by
disabling the Distributed Transaction Coordinator. However, if there’s a
successful attack, the DTC may be the only disabled component anyway.

Final word

While Microsoft has provided a patch for MS06-020, keep in
mind that this is not a Microsoft
vulnerability. The vulnerability stems from Adobe’s code and is unrelated to
any errors in Microsoft code.

Miss a column?

Check out the IT Locksmith Archive,
and catch up on the most recent editions of John McCormick’s column.

Want to stay on top of
the latest security updates? Automatically
sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a
security consultant and well-known author in the field of IT, with more than
17,000 published articles. He has written the IT Locksmith column for
TechRepublic for more than four years.