Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

   


   


   

















      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [SA25183] Microsoft Exchange Multiple Vulnerabilities



> 
> TITLE:
> Microsoft Exchange Multiple Vulnerabilities
> 
> SECUNIA ADVISORY ID:
> SA25183
> 
> VERIFY ADVISORY:
> http://secunia.com/advisories/25183/
> 
> CRITICAL:
> Highly critical
> 
> IMPACT:
> Cross Site Scripting, DoS, System access
> 
> WHERE:
> From remote
> 
> SOFTWARE:
> Microsoft Exchange Server 2000
> http://secunia.com/product/41/
> Microsoft Exchange Server 2003
> http://secunia.com/product/1828/
> Microsoft Exchange Server 2007
> http://secunia.com/product/13797/
> Microsoft Exchange 2000 Enterprise Server
> http://secunia.com/product/42/
> 
> DESCRIPTION:
> Some vulnerabilities have been reported in Microsoft Exchange, which
> can be exploited by malicious people to conduct script insertion
> attacks, cause a DoS (Denial of Service), or compromise a vulnerable
> system.
> 
> 1) Outlook Web Access (OWA) does not handle a certain UTF character
> set label correctly. As a results, script-based attachments are not
> properly sanitised before being displaying, which can be exploited to
> execute arbitrary HTML and script code in a user's browser session in
> context of a vulnerable site when opening a file.
> 
> 2) An error in the Exchange Collaboration Data Objects (EXCDO)
> functionality when handling calender content requests can be
> exploited to cause the mail service to stop responding via a
> specially crafted iCal file.
> 
> 3) An error in the MIME decoding can be exploited to execute
> arbitrary code via a malicious e-mail message containing specially
> crafted base64-encoded content.
> 
> 4) An error in the handling of invalid IMAP requests can be exploited
> to cause the mail service to stop responding via a specially crafted
> IMAP command.
> 
> SOLUTION:
> Apply patches.
> 
> Exchange 2000 Server SP3 with Exchange 2000 Post-SP3 Update Rollup of
> August 2004:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=21968
> 843-4A81-4F1D-8207-5B0A710E3157
> 
> Exchange Server 2003 SP1:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=5E793
> 9BE-73D1-461C-8C79-EDDB0F1459FC
> 
> Exchange Server 2003 SP2:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=1ABF9
> 3DA-D765-4876-96B5-ACB2D2A48F8F
> 
> Exchange Server 2007:
> http://www.microsoft.com/downloads/details.aspx?FamilyId=35687
> 4EF-C9C0-4842-99F0-E449E9940358
> 
> PROVIDED AND/OR DISCOVERED BY:
> 1) The vendor credits Martijn Brinkers, Izecom.
> 2) The vendor credits Alexander Sotirov, Determina Security
> Research.
> 3) Reported by the vendor.
> 4) Discovered by Joxean Koret and reported via iDefense Labs.
> 
> ORIGINAL ADVISORY:
> MS07-026 (KB931832):
> http://www.microsoft.com/technet/security/Bulletin/MS07-026.mspx
> 



 




Copyright © Lexa Software, 1996-2009.