Microsoft Exchange Server Security Bulletin Summary for October, 2003
Issued: October 15, 2003
Updated: June 16, 2004
Version Number: 3.1
Protect your PC: Microsoft has provided information on how you can help protect your PC at the following locations:
| • | End Users can visit the Protect Your PC Web site. |
| • | IT Professionals can visit the Microsoft TechNet Security Center Web site. |
Update Management Strategies: The Patch Management, Security Updates, and Downloads Web site provides additional information about Microsoft’s best practices recommendations for applying security updates.
IT Pro Security Community: Learn to improve security and optimize your IT infrastructure, and participate with other IT Pros on security topics on the Microsoft TechNet Security Center Web site.
Microsoft Security Notification Service: To receive automatic e-mail notification whenever Microsoft security bulletins are issued, subscribe to the Microsoft Security Notification Service: http://www.microsoft.com/technet/security/bulletin/notify.mspx
Summary
Subsequent to the release of this bulletin, it was determined that the vulnerability discussed in MS03-046 also affects Exchange Server 5.0. Microsoft has updated MS03-046 with additional information about Exchange Server 5.0 and also to direct users to a security update for this additional affected platform.
Included in this advisory are updates for two newly discovered vulnerabilities in Microsoft Exchange Server. These vulnerabilities, broken down by severity are:
Critical
Affected Software |
| ||||||
Impact | Remote Code Execution | ||||||
Last Revised | April 13, 2004 | ||||||
Version Number | 2.0 |
Moderate
Affected Software |
| ||
Impact | Remote Code Execution | ||
Last Revised | October 22, 2003 | ||
Version Number | 2.0 |
Deployment
Systems Management Server (SMS):
For information about how to deploy this security patch with Systems Management Server, visit the following Microsoft Web site. Systems Management Server utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation.
http://www.microsoft.com/technet/sms/20/downloads/featurepacks/suspack/default.mspx
Some software updates may require administrative rights following a restart of the computer. For information about how you can use Systems Management Server to deploy this type of update, visit the following Microsoft Web site:
http://www.microsoft.com/SMServer/downloads/20/featurepacks/adminpack/default.asp
Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server, and the administrative rights after the computer has been restarted.
Microsoft Baseline Security Analyzer (MBSA):
The Microsoft Baseline Security Analyzer allows administrators to scan local and remote systems for missing security patches as well as common security misconfigurations. More information on MBSA is available at: http://www.microsoft.com/mbsa
Other information:
Acknowledgments
Microsoft thanks the following for working with us to protect customers:
| • | Joćo Gouveia for reporting the issue described in MS03-046. |
| • | Ory Segal of Sanctum Inc. for reporting the issue described in MS03-047. |
Support:
| • | Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches. |
Security Resources:
| • | The Microsoft TechNet Security Center Web site provides additional information about security in Microsoft products. |
| • | Microsoft Software Update Services: http://www.microsoft.com/sus/ |
| • | Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool. |
| • | Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 |
| • | Office Update: http://update.microsoft.com/microsoftupdate/ |
| • | Office Update: http://office.microsoft.com/officeupdate/ |
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
| • | V1.0 October 15, 2003: First Published. |
| • | V1.1 October 21, 2003: Removed unnecessary information from "Deployment" in MS03-047. |
| • | V2.0 October 22, 2003: Updated to include details of an additional patch for languages available through the Outlook Web Access language pack in MS03-047. |
| • | V2.1 November 11, 2003: Corrected file sizes under "Security Patch Information" "Exchange Server 5.5 Service Pack 4" in MS03-046. |
| • | V3.0 April 13, 2004: Bulletin updated to advise that MS03-046 has been updated with additional information about an update additional for Exchange Server 5.0 |
| • | V3.1 June 16, 2004: Updated information in Summary Bulletin about Update Management Strategies. |