two
Volume 3, Number 16 -- May 10, 2006

Critical Windows Security Updates Released by Microsoft

Published: May 10, 2006

by Alex Woodie

Microsoft issued three patches yesterday--including two rated critical and one with a moderate rating--to fix security vulnerabilities in several of its products, including client and server versions of Windows and Exchange Server 2000 and 2003. Microsoft said it wasn't aware of any active attacks using any of the newly discovered problems. But that was yesterday, and the exploits are almost guaranteed to start arriving, so Windows shops should apply the patches as soon as possible.

Security Bulletin MS06-019 fixes a critical vulnerability in Exchange Server 2000 and Exchange Server 2003 Service Packs 1 and 2 (SP1 and SP2) that could allow an attacker to gain complete control over an affected system. The patch provides a fix for Exchange Calendar Vulnerability, a privately disclosed vulnerability that hackers can exploit by sending specially crafted iCal or vCal messages to an Exchange Server. Microsoft did not detect any active attacks, nor any "proof of concept" code utilizing this exploit on the Web. However, the damage potential of the Exchange Calendar Vulnerability--including the potential for a self-replicating worm--is quite high, which is why Microsoft gave it the critical rating.

This patch has known compatibility issues with two third-party products, including Research In Motion's Blackberry Enterprise Server and Good Technology's GoodLink Wireless Messaging systems. Users of these systems should consult Microsoft's Knowledge Base article 912918 for tips on how to overcome the ancillary problems introduced with this patch.

Security Bulletin MS06-020 fixes two critical vulnerabilities in Windows XP SP1 and SP2 and the Windows 98/SE/Me family of operating systems that could allow an attacker to execute their choice of code on affected systems. These vulnerabilities are closely tied to unchecked buffers in Adobe's popular Macromedia Flash player, which can provide hackers with full system access if a victim opens a maliciously constructed Flash Animation (SWF) file, either in a Web browser or as an e-mail attachment.

Microsoft became aware of the problems in the Flash player last fall, when it published a security advisory on the topic. Because Microsoft distributes the Macromedia Flash player with some versions of Windows, it addressed the vulnerability with its own patches.

Security Bulletin MS06-018 patches the least significant flaws, including a collection of three MSDTC vulnerabilities that carry the risk of denial of service (DOS) attacks for users of Windows 2000 SP4, Windows XP SP1 and SP2, the original release of Windows Server 2003, and the version of Windows Server 2003 for Itanium-based Systems. (Current operating systems not affected by this flaw include the SP1 releases of Windows Server 2003 for 32-bit and 64-bit Itanium systems, and the Windows Server 2003 for X64 Systems release that's based on the Server SP1 code.)

That's only half the story, however. Users who are still running older operating systems--including Windows NT Workstation 4.0 SP6a and Windows 2000 SP2 and SP3-beware. You are at risk of a DOS attack due to the MSDTC flaws, and Microsoft is not going to help you, unless you sign up for custom support (call it the "stick" part of Microsoft's "carrot and a stick" approach to dealing with its legacy problem). "It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities," Microsoft says in Security Bulletin MS06-018.

Microsoft also updated its Malicious Software Removal Tool with yesterday's update.

Sponsored By
MKS

Knowledge is Power.

MKS brings you real-time visibility and traceability across platforms,
teams and the entire application lifecycle from requirements through deployment.

More than 60% of software projects in the U.S. fail, and poor requirements is
one of the top 5 reasons. Are your projects at risk?

With poor requirements being cited as one of the top 5 reasons for software project failures in the U.S. it is clear that requirements management must be an integral part of the development process, and is vital to mitigating risk on large projects. MKS offers you a truly unique solution - the first requirements management tool built into a complete application lifecycle management solution. The result is greater visibility and traceability for requirements throughout the lifecycle and better communication between development, QA and business users.

For more information, download the white paper: An Innovative Approach to Managing Software Requirements

Components of MKS Integrity for application lifecycle management include:
· MKS Requirements for integrated requirements management
· MKS Integrity Manager for process and workflow management and defect tracking
· MKS Source Integrity Enterprise for software configuration management,
   version control and globally distributed team development
· Implementer for software configuration management and deployment on the iSeries
· OpenMake for enterprise build management
· MKS Build and Deploy for deployment management to production environments

MKS integrates with leading modernization tools such as IBM WebSphere and Microsoft Visual Studio .NET.

For more information, visit http://www.mks.com/solutions/index.jsp

Contact MKS Sales at 1-800-613-7535 or sales@mks.com
Editor: Alex Woodie
Contributing Editors: Dan Burger, Joe Hertvik,
Shannon O'Donnell, Timothy Prickett Morgan
Publisher and Advertising Director: Jenny Thomas
Advertising Sales Representative: Kim Reed
Contact the Editors: To contact anyone on the IT Jungle Team
Go to our contacts page and send us a message.

Sponsored Links

Micro Focus:  Develop, extend and deploy applications with Server Express and Enterprise Server
OpenLogic:  Install, integrate, test, manage, and learn over 120 open source projects with BlueGlue
COMMON:  Join us at the Fall 2006 conference, September 17-21, in Miami Beach, Florida

 
THIS ISSUE SPONSORED BY:

Vision Solutions
MKS
Lakeview Technology
World Data Products
Wolf Computer Consulting



TABLE OF CONTENTS
Yankee Group Gives Mixed Review of Vista Security Features

Critical Windows Security Updates Released by Microsoft

Azul, Mainsoft Bring .NET Code to Compute Appliances

Unisys Launches New Unified ES7000 Server

But Wait, There's More:

Vendors Launch 'SOA Link' to Increase Interoperability, Adoption . . . ScriptLogic Cranks Up the Speed on Windows Security Audit Tool . . . Double-Take Bolsters Data Recoverability in GeoCluster . . . Microsoft Ships First Release Candidate for Windows Compute Cluster Server 2003 . . . SharePoint Portal Satisfies a Group of Lawyers . . . Speech Server 2007 Beta Now Ready . . .

The Windows Observer

BACK ISSUES

The Four Hundred
IBM Cuts Some System i5 Prices to Boost Sales

A Closer Look at IBM's Current System i5 Deals

The Inside Stories of the Innovation Award Winners

ERP Software: Its Effect on Human Performance and Impact on Productivity

The Linux Beacon
Silicon Graphics Files for Chapter 11 Bankruptcy

Unisys Launches New Unified ES7000 Server

Stonesoft Unveils New Generation of Firewall, IPS Products

The X Factor: If Sun Builds a Grid, Will They Come?

Big Iron
IBM Repositions the Mainframe as Central to SOA

Top Mainframe Stories and Vendor Announcements

Chats, Webinars, Seminars, Shows, and Other Happenings

The Unix Guardian
The Hardware Foundry

Sun Previews Next Rev of Solaris 10

Power5+ Delays Force IBM to Cut High-End System p Prices

The X Factor: If Sun Builds a Grid, Will They Come?


 
Subscription Information:
You can unsubscribe, change your email address, or sign up for any of IT Jungle's free e-newsletters through our Web site at http://www.itjungle.com/sub/subscribe.html.

Copyright © 1996-2008 Guild Companies, Inc. All Rights Reserved.
Guild Companies, Inc., 50 Park Terrace East, Suite 8F, New York, NY 10034

Privacy Statement