Microsoft Security Bulletin MS07-026: Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (931832)

Interesting .. http://www.microsoft.com/technet/security/bulletin/ms07-026.mspx

This update resolves several newly discovered, privately reported vulnerabilities. Each vulnerability is documented in its own subsection in the Vulnerability Details section of this bulletin.

An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

We recommend that customers apply the update immediately.

Microsoft Exchange 2000 Server Service Pack 3 with the Exchange 2000 Post-Service Pack 3 Update Rollup of August 2004 — Download the update (KB931832)

Microsoft Exchange Server 2003 Service Pack 1 — Download the update (KB931832)

Microsoft Exchange Server 2003 Service Pack 2 — Download the update (KB931832)

Microsoft Exchange Server 2007 — Download the update (KB935490)

Outlook Web Access Script Injection Vulnerability
An information disclosure vulnerability exists in Microsoft Exchange in the way that Outlook Web Access (OWA) handles script-based attachments. An attached script could spoof content, disclose information, or take any action that the user could take within the context of the OWA session.

Affects:
Microsoft Exchange Server 2000 Service Pack 3    
Microsoft Exchange Server 2003 Service Pack 1
Microsoft Exchange Server 2003 Service Pack 2

Malformed iCal Vulnerability
A denial of service vulnerability exists in Microsoft Exchange Server because of the way that it handles calendar content requests. An attacker could exploit the vulnerability by sending an e-mail message with specially crafted iCal file to a Microsoft Exchange Server user account. An attacker successfully exploiting this vulnerability could cause the mail service to stop responding.    

Affects:
Microsoft Exchange Server 2000 Service Pack 3    
Microsoft Exchange Server 2003 Service Pack 1
Microsoft Exchange Server 2003 Service Pack 2
Microsoft Exchange Server 2007

MIME Decoding Vulnerability
A remote code execution vulnerability exists in Microsoft Exchange Server because of the way that it decodes specially crafted e-mail messages. An attacker could exploit the vulnerability by sending a specially crafted e-mail to a Microsoft Exchange Server user account. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
    
Affects:
Microsoft Exchange Server 2000 Service Pack 3    
Microsoft Exchange Server 2003 Service Pack 1
Microsoft Exchange Server 2003 Service Pack 2
Microsoft Exchange Server 2007

IMAP Literal Processing Vulnerability
A denial of service vulnerability exists in Microsoft Exchange Server because of the way that it handles invalid IMAP requests. An attacker could exploit the vulnerability by sending a specially crafted IMAP command to a Microsoft Exchange Server configured as an IMAP server. An attacker successfully exploiting this vulnerability could cause the mail service to stop responding.

Affects:
Microsoft Exchange Server 2000 Service Pack 3    

Leave a Reply

%d bloggers like this: