May 9, 2006 12:54 PM PDT

Windows, Exchange flaws patched

Microsoft on Tuesday released three security updates, two of which address critical flaws in its Exchange e-mail server and third-party software in Windows.

Critical vulnerabilities in Microsoft Exchange Calendar and Adobe's Macromedia Flash Player in Windows can lead to a remote execution of code on a user's system, according to Microsoft's security bulletins.

The software giant also issued a "moderate" update for flaws in Windows, according to the software giant's bulletin. A malicious attacker could launch a denial-of-service attack by sending a specially crafted network message through the system to exploit the flaw.

The critical Microsoft Exchange flaws affect Microsoft Exchange Server 2000 with Post-Service Pack (SP) 3, Microsoft Exchange 2000 Enterprise Server, and Microsoft Exchange Server 2003 with SP 1 or SP 2.

"An attacker could exploit the vulnerability by constructing a specially crafted message that could potentially allow remote code execution when an Exchange Server processes an e-mail with," according to Microsoft's bulletin.

Security firm Symantec said the Microsoft Exchange flaw is the most serious of the three.

"Because the majority of Exchange servers are configured to receive e-mails from anonymous users, this vulnerability has the potential to manifest itself in the form of a worm if machines are not properly patched," Oliver Friedrichs, Symantec Security Response director, said in a statement.

Microsoft also issued a Windows update for what it described as critical flaws in Adobe's Macromedia Flash Player 5 and 6. An attacker could exploit these vulnerabilities in the Flash Player by constructing a malicious Flash animation file. Users visiting a Web site containing the specially crafted file may find their computer system taken over.

The Flash Player flaws affect Windows XP Home Edition, with SP 1 or SP 2; XP Professional; Windows 98 with Gold service pack or SP1; Windows 98 SE with Gold service pack; and Windows ME with Gold service pack.

See more CNET content tagged:
Microsoft Exchange Server, flaw, attacker, e-mail server, Flash Player

1 comment

Join the conversation!
Add your comment
This is a good reason why no company should be forced to carry other people's products inside their own.
I don't think in this case MS was forced to carry flash player, but had they been forced to carry Netscape, or if the EU comission forces them to carry Real Player and other products, the number of monthly patches will certainly go up, and the risk for Windows users will go higher, without Microsoft having any responsibility on the problem or any way to help.
Posted by Hernys (744 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.