MS Sec Notification mailing list archives

Previous By Date Next
Previous By Thread Next

REVISED: Microsoft Exchange Server Security Bulletin Summary for October 2003

From: "Microsoft" <0_53964_04BF067D-4CF8-4245-B5C1-58573E5746A8_US () Newsletters Microsoft com>
Date: Wed, 22 Oct 2003 21:22:38 -0700
-----BEGIN PGP SIGNED MESSAGE-----

- --------------------------------------------------------------------
Title: Microsoft Exchange Server Security Bulletin Summary for 
       October 2003
Issued: October 15, 2003
Updated: October 22, 2003
Version Number: 2.0
Bulletin:
http://www.microsoft.com/technet/security/bulletin/excoct03.asp
- --------------------------------------------------------------------

Reason for Major Revision
=========================
Subsequent to the release of the Windows Security Bulletin Summary 
for October, the following bulletin has undergone a major revision 
increment.  Please see the appropriate bulletin section of this 
email for more details.

- - MS03-047

Summary:
========
Included in this advisory are updates for two newly discovered 
vulnerabilities in Microsoft Exchange Server. These vulnerabilities, 
broken down by severity are: 


** Critical Security Bulletins

    MS03-046 - Vulnerability in Exchange Server could allow 
               Arbitrary Code Execution (829436)

             - Affected Software: 
               - Exchange Server 5.5
               - Exchange 2000 Server

             - Impact: Remote Code Execution
             - Version Number: 1.1 

** Moderate Security Bulletins 

    MS03-047 - Vulnerability in Exchange Server 5.5 Outlook Web 
               Access Could Allow Cross-Site Scripting Attack 
               (828489)

             - Affected Software:
               - Exchange Server 5.5

             - Impact: Remote Code Execution 
             - Version Number: 2.0

     Reason for Major Revision, V2.0 October 22, 2003:
     =================================================
     Subsequent to the original release of this bulletin, it was
     discovered that certain languages were not covered by the
     original patch. This bulletin has been updated to provide 
     information about a new patch, which is intended for customers
     having installed a language from the Language Packs for
     Outlook Web Access. In addition, for this patch to function 
     properly the Outlook Web Access (OWA) server on which the 
     patch is installed must have Internet Explorer 5.01 or greater
     installed. If the patch is installed on a system with a version
     of IE less than 5.01, unexpected consequences may result.
     The "Caveats" section has been updated to include version
     requirements for this patch. It also contains version
     recommendations for dependent components that are applicable at
     the time of this writing. The deployment section has also been 
     expanded to discuss in detail how to download and install this
     security patch.
 
    
Patch Availability:
===================
Patches are available to fix these vulnerabilities.
For additional information, including Technical Details, 
Workarounds, answers to Frequently Asked Questions, and Patch 
Deployment Information please read the Microsoft Exchange 
Security Bulletin Summary for October at:
http://www.microsoft.com/technet/security/bulletin/excoct03.asp 

Acknowledgments:
================
Microsoft thanks the following for working with us to protect 
customers:

- - João Gouveia (joao.gouveia () vodafone com)
     for reporting the issue described in MS03-046. 

- - Ory Segal of Sanctum Inc. (http://www.sanctuminc.com/)
     for reporting the issue described in MS03-047. 


Support: 
========
Technical support is available from Microsoft Product Support 
Services at 1-866-PC SAFETY (1-866-727-2338). There is no charge for 
support calls associated with security patches.
 
Revisions: 
==========
* V1.0 October 15, 2003: Bulletin Created.
* V2.0 October 22, 2003: Updated to include details of the 
  major revisions in MS03-047.

********************************************************************
Protect your PC: 
Microsoft has provided information on how you can
help protect your PC at the following locations: 
http://www.microsoft.com/technet/security/protect 

Patch Management Strategies:
The Microsoft Guide to Security Patch Management Web Site provides 
additional information about Microsoft's best practice
recommendations for applying security patches:
http://www.microsoft.com/technet/security/topics/patch/secpatch/Defa
ult.asp

IT Pro Security Zone Community:
Learn to improve security and optimize your IT infrastructure,
and participate with other IT Pros on security topics:
http://www.microsoft.com/technet/security/community/default.mspx

If you receive an e-mail that claims to be distributing a 
Microsoft security patch, it is a hoax that may be distributing a 
virus. Microsoft does not distribute security patches via e-mail. 
You can learn more about Microsoft's software distribution 
policies here:
http://www.microsoft.com/technet/security/policy/swdist.asp
********************************************************************
- --------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED 
"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL 
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT 
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY 
DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, 
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF 
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE 
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION 
OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES 
SO THE FOREGOING LIMITATION MAY NOT APPLY.
- --------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBP5cjzY0ZSRQxA/UrAQHeGggAnDmNXGECw3C/HoZYl6LiHDnSTme+PkZ1
ZoRBRETSuHm8jvS6Z+oOMsmoePUECnoFZ0CvT9xygqbYNu5G6I9ZlhHE74XeNvSj
VznQSPctjV0iDRkcSZeRmm+ZBMKxxiGCYRRzdXiskepdn7w9iJUeIXpw7+NfJFvm
6Gmb/jShoBexVHmcWC7g95RxC+3oEsRnSBOc0LLJ4TQjTvhF/TfEtWKDKzGNC05X
I/fS1i111Vu2GTS1jY2Q4HSnHiNBnW6P1BCAnW2K01LRgNqwiYvbrJfagvFYn+Xo
PJDJmy2ziJy4bMLwL5WZckYkHkJw8G49NlOQXEoS+3Gojm4uT5nkQg==
=QMr2
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification 
Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at 
http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at 
http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via 
email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at 
http://www.microsoft.com/security.
Previous By Date Next
Previous By Thread Next

Current thread: