US-CERT Technical Cyber Security Alert TA06-129A -- Microsoft Windows and Exchange Server Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



                        National Cyber Alert System

                Technical Cyber Security Alert TA06-129A


Microsoft Windows and Exchange Server Vulnerabilities

   Original release date: May 9, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

     * Microsoft Windows
     * Microsoft Exchange Server

   For more complete information, refer to the Microsoft Security
   Bulletin Summary for May 2006.


Overview

   Microsoft has released updates that address critical vulnerabilities
   in Microsoft Windows and Exchange Server. Exploitation of these
   vulnerabilities could allow a remote, unauthenticated attacker to
   execute arbitrary code or cause a denial of service on a vulnerable
   system.


I. Description

   Microsoft Security Bulletin Summary for May 2006 addresses
   vulnerabilities in Microsoft Windows and Exchange Server. Further
   information is available in the following US-CERT Vulnerability Notes:


   VU#303452 - Microsoft Exchange fails to properly handle vCal and iCal
   properties 

   Microsoft Exchange Server does not properly handle the vCal and iCal
   properties of email messages. Exploitation of this vulnerability may
   allow a remote, unauthenticated attacker to execute arbitrary code on
   an Exchange Server.
   (CVE-2006-0027)


   VU#945060 - Adobe Flash products contain multiple vulnerabilities 

   Several vulnerabilities in Adobe Macromedia Flash products may allow a
   remote attacker to execute code on a vulnerable system.
   (CVE-2006-0024)


   VU#146284 - Macromedia Flash Player fails to properly validate the
   frame type identifier read from a "SWF" file 

   A buffer overflow vulnerability in some versions of the Macromedia
   Flash Player may allow a remote attacker to execute code on a
   vulnerable system.
   (CVE-2005-2628)


II. Impact

   A remote, unauthenticated attacker could execute arbitrary code on a
   vulnerable system. An attacker may also be able to cause a denial of
   service.


III. Solution

Apply Updates

   Microsoft has provided updates for these vulnerabilities in the
   Security Bulletins. Microsoft Windows updates are available on the
   Microsoft Update site.

Workarounds

   Please see the US-CERT Vulnerability Notes for workarounds.


Appendix A. References

     * Microsoft Security Bulletin Summary for May 2006 -
       <http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx>

     * Technical Cyber Security Alert TA06-075A -
       <http://www.us-cert.gov/cas/techalerts/TA06-075A.html>

     * US-CERT Vulnerability Note VU#303452 -
       <http://www.kb.cert.org/vuls/id/303452>

     * US-CERT Vulnerability Note VU#945060 -
       <http://www.kb.cert.org/vuls/id/945060>

     * US-CERT Vulnerability Note VU#146284 -
       <http://www.kb.cert.org/vuls/id/146284>

     * CVE-2006-0027 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0027>

     * CVE-2006-0024 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0024>

     * CVE-2005-2628 -
       <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2628>

     * Microsoft Update - <https://update.microsoft.com/microsoftupdate>


 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-129A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA06-129A Feedback VU#303452" in the
   subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2006 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________


Revision History

   May 9, 2006: Initial release


    
    

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRGDvB30pj593lg50AQJkAQf9FqFX8S29GmV1pKfRCfkEY9ooi/ygyeyu
l+z2OpoJsu4BHhYbXahssZLutNh0UtpC2Qv17sgHP2xg2sIokqgqkdMH1WQn4kAw
x6RWPlI7hraIg/tY1lSZayZris4XMuDzNiqfpa/gN7oOSOtnIZ6Ky5+h5nIk+xxk
Q50BdlEHmw5e62LyW7qnBAoHuHzEQq/xS52DtTat+aigRYePq3SX2f8S4BpZyKzq
kQKN7kn2keseziuKCMEMNIH0bUunUr6M2kRsBPIBUrAi03Fmgx2Qfy7yMHRV/0Gg
A2jjB48O4m+fuHHQSVSP2gCtSbe9ChiWJ8Db1nY1pnsQ42fZvqQekg==
=nxe/
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux