• Information Security Office
• Secure Computing
• Security Alerts
• Microsoft Releases Patches for Multiple Critical Vulnerabilities

Security Alerts

Search Security Alerts:

May 10, 2006

Microsoft Releases Patches for Multiple Critical Vulnerabilities

Summary

On May 9, 2006, Microsoft released three new security updates, two of them rated as critical. One affects servers running Microsoft Exchange, the other affects systems running Microsoft-supplied versions of Macromedia Flash Player.

The Exchange vulnerability is directly exploitable over the Internet. The Flash vulnerability can result in system-level compromise if the user opens a maliciously constructed web page, HTML email message.

What to Do

Windows users can manually use "Windows Update" to download and install the current operating system patches. If you installed Macromedia Flash yourself (i.e. it did not come bundled with your version of Windows), see Adobe's security bulletin for details of how to upgrade your software.

Additionally, it is recommended that all Windows machines have an automated patch management solution installed and configured on their system. Stanford provides BigFix to automatically patch Windows machines; it is available at http://patching.stanford.edu. Alternatively, Windows Automatic Update should be enabled.

Please remember to reboot your machine after patching manually, or when prompted to do so by Windows Update or by your BigFix administrator. Most patches do not take effect until after a reboot.

Technical Detail

Information regarding all three security updates is available at http://www.microsoft.com/technet/security/bulletin/ms06-May.mspx. The following are brief summaries of those rated as critical.

MS06-019 - Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (KB916803)

• Affected platforms:
  
  • Microsoft Exchange Server 2000
  • Microsoft Exchange Server 2003, with Service Pack 1 or Service Pack 2
    
• Remotely exploitable over the Internet
  

MS06-020 - Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (KB913433)

• NOTE: This update only applies to the versions listed below because they included Macromedia Flash in the default installation. Users of other platforms may still be vulnerable if they installed Macromedia Flash themselves. More details are available in Adobe's security bulletin.
  
• Affected platforms:
  
  • Windows 98, 98SE, ME
    
  • Windows XP, with Service Pack 1 or Service Pack 2
    
• Activated by opening a malicious web page.
  

References

Additional information regarding these vulnerabilities is available at

• http://www.microsoft.com/technet/security/bulletin/ms06-May.mspx
• http://www.adobe.com/devnet/security/security_zone/apsb06-03.html

The Information Security Office would like to thank the Windows Systems Team in ITS for their assistance in producing this alert.