Patch Tuesday Analysis for May 2006

Today Microsoft released 3 security bulletins and I agree with Microsoft's severity rating on all 3. Read on for my analysis on all 3 bulletins.

MS06-019 - Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)

This one is a doozy! A bad guy creates a specially crafted email to someone in your organization with scheduling or calendar content in either iCal or vCal format (both are MIME types). When Exchange Server receives and processes the email the malformed iCal or vCal file tricks the server into running arbitrary code. Organizations should deploy this patch as soon as possible but since there are currently no reports of actual exploitation and at the time of writing no proof of concept code was public testing is appropriate since this patch affects a core component of Exchange. Moreover this patch includes a change in functionality affecting the SendAs permission. Before installing this patch, make sure you understand what changes with regard to SendAs and Full Mailbox Access permissions especially if your organization uses shared mail boxes, delegated SendAs or the following products: Research In Motion (RIM) Blackberry Enterprise Server
(BES) or Good Technology GoodLink Wireless Messaging.

MS06-020 - Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)

Here's another interesting one. This is the first time in my memory that Microsoft has released a security update for a non-Microsoft product. The update patches vulnerability in Adobe's Flash Player which is redistributed by Microsoft in Internet Explorer on Windows XP service packs 1 and 2. You can use the Microsoft security update unless you've upgraded to Flash 7 or higher, which case you'll gave to deploy the update provided by Adobe at http://www.adobe.com/devnet/security/security_zone/apsb06-03.html. This vulnerability allows attackers to execute arbitrary code on a user's PC if they can succeed in getting the user to play malformed Flash content such as through email, a rogue website or a website that fails to prevent rogue content from being posted. I recommend that you install either the Microsoft or Adobe patch to workstations after fully testing it on a limited rollout.

MS06-018 - Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)

This final bulletin deals with a denial of service vulnerability with Microsoft Distributed Transaction Coordinator which is used by SQL Server, BizTalk Server, Exchange Server, or Message Queuing and most server clusters. The denial of service effect is limited to MSDTC - it doesn't impact other services or functions on the system. Unless you use one of these products or some other application that depends on MSDTC you can avoid loading this patch and simply disable the MSDTC service on systems that don't require it using group policy. Note that MSDTC is present on Windows XP and Windows 2000 Professional.

BulletinExploit Types
/Technologies Affected
System Types AffectedExploit
details public?
/ Being exploited?
Comprehensive,
practical
workaround
available?
MS severity ratingProducts AffectedNotesRandy's recommendation
MS06-020

913433
Arbitrary code

/ Windows
Workstations
Terminal Servers
Yes/NoYesCritical XP
Windows Millennium
Win98
Macromedia Flash Player from Adobe version 6 or earlierI recommend that you install either the Microsoft or Adobe patch to workstations after fully testing it on a limited rollout.
MS06-018

913580
Denial of service

/ Windows
Workstations
Terminal Servers
No/NoNoModerate Win2000
XP
Server 2003
Datacenter Server 2000
Small Business Server 2003
Small Business Server 2000
BackOffice Small Business Svr
Note that MSDTC is present on Windows XP and Windows 2000 Professional.Vulnerability with Microsoft Distributed Transaction Coordinator which is used by SQL Server, BizTalk Server, Exchange Server, or Message Queuing and most server clusters. The denial of service effect is limited to MSDTC - it doesn't impact other services or functions on the system. Unless you use one of these products or some other application that depends on MSDTC you can avoid loading this patch and simply disable the MSDTC service on systems that don't require it using group policy.
MS06-019

916803
Arbitrary code

/ Exchange
Servers
Exchange Servers
No/NoNoCritical Exchange 2000
Exchange 2003
Before installing this patch, make sure you understand what changes with regard to SendAs and Full Mailbox Access permissions especially if your organization uses shared mail boxesOrganizations should deploy this patch as soon as possible, but public testing is appropriate since this patch affects a core component of Exchange.

Receive Randy's same-day, independent analysis each Patch Tuesday

Email:
We will not share your address. Unsubscribe anytime. 

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The “Randy’s Recommendation” comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Tuesday Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.