Vulnerabilities in Microsoft Exchange, Now With Security Update

Microsoft Exchange has some vulnerability that miscreants can exploit to insert malicious script, launch a DoS (Denial of Service) attack, or assume control of a weak system. Secunia published this in news on May 8, 2007.

Microsoft 2007 software with Exchange and Office in it has been reported to be vulnerable showing that the lifecycle of security development is not without faults, according to Amol Sarwate, manager of vulnerability research lab at Qualys. CNet published this as news on May 8, 2007.

The flaw in Microsoft Exchange may allow compromising a system that has the e-mail server program running on it even in the absence of any particular user action. Microsoft Exchange, including Exchange 2007 has four vulnerabilities that the software giant has fixed with its MS07-026 patch.

The most severe fault is present in the method of Exchange encoding e-mail messages. The four vulnerabilities in order are Outlook Web Access (OWA), Exchange Collaboration Data Objects (EXCDO), MIME decoding, and the way of handling invalid IMAP requests.

The new Exchange update patches flaws that were previously unknown in Microsoft's messaging software, which on exploiting could compromise the server, said Paul Zimski, Patchlink's director of product and marketing strategy. The Exchange Update will make the widest impact on organizations by affecting their core business, according to Zimski. Reseller News published Zimski's comments in news on May 9, 2007.

If hackers succeeded in developing a suitable exploit code for Exchange, they could implant an illegitimate program on the server. That could be possible by sending a malicious e-mail, easily bypassing filters, Zimski said.

As was not the case with Exchange bugs, the Windows DNS server flaw was known for a month. Attackers already have a code to exploit this flaw and security vendors have seen some related online attacks.

The problem that affects Windows 2000 and Windows Server 2003 systems could craftily run illegitimate software by sending to the DNS server maliciously encoded Remote Procedure Call packets. The flaw does not affect Windows 2000 Professional, XP and Vista.

Microsoft had issued updates that patched flaws in the Capicom cryptography technology that Biztalk Server used.

Related article: Vulnerabilities in Web Applications Invite Hackers’ Activities

» SPAMfighter News - 5/17/2007