News

Microsoft Releases 3 Security Fixes for Windows, Exchange

As expected, Microsoft Corp. today released three new security bulletins today as part of its monthly Patch Tuesday announcement, with two of the patches being rated as "critical."

As expected, Microsoft Corp. today released three new security bulletins today as part of its monthly Patch Tuesday announcement, with two of the patches being rated as "critical."

One of the critical bullitens is for Microsoft Exchange, the company's popular messaging software; the other is for a vulnerability Windows that have Adobe's Macromedia Flash Player installed. The third patch, deemed "moderate," replaces a fix released a year ago that affected the MSDTC service.

The Exchange flaw, covered by bulletin MS06-19, affects Exchange Server 2000 with Service Pack 3, and Exchange Server 2003 with Service Pack 1 and 2. It fixes a recently discovered remote code execution flaw that was reported to Microsoft privately, in which an attacker might take over a system through a specially crafted e-mail with CDO objects attached or with certain vCAl or iCal properties, which is then sent through a targeted Exchange server. An attacker who gets into a compromised system through this method would then be able to view, change or delete data, as well as create new accounts with full user rights.

Bulletin MS06-020, also rated critical by Microsoft, fixes another remote code execution flaw that mainly affects Windows XP with Service Packs 1 and 2, as well as Windows 98, 98SE and Millenium Edition that have the Macromedia Flash Player versions 5 and 6 installed. The flaw can allow an attacker to get access to a user's system if that user is logged on with administrative user rights, so the flaw does carry less risk.

The fix isn't applicable to Windows 2000 or Windows Server 2003 (with or without SP3), since those systems don't come with Flash installed by default. However, because Flash is a popular media program used on many Web sites, Microsoft points to guidance on the Adobe Systems Web site for further help with fixes.

Microsoft rates bulletin MS06-018 as moderate; it replaces bulletin MS05-051 that was issued a year ago. The flaw allows an attacker who gains access by sending a network message to an infected system to launch a denial of service attack, which could cause the Microsoft Distributed Transaction Coordinator service to stop responding. The vulnerability exists due to an unchecked buffer in the MSDTC service.

Windows 2000 systems are mainly at risk, but so to are Windows XP SP1 and Windows Server 2003 system that have the service turned on.

More details can be found here.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.