Microsoft Patches Two Critical Vulnerabilities
As expected, Microsoft issued patches for two critical vulnerabilities in its software on May 9, including flaws in its Windows and Exchange products, as part of its monthly security update.
While the company's latest patch distribution is meant to help Microsoft customers fix several well-known loopholes in its software, the update did not address a series of flaws isolated in the firm's Internet Explorer browser, as some experts had predicted.
Microsoft typically applies a "critical" rating to high-priority vulnerabilities that can be exploited to allow the propagation of an Internet worm without any user action, and the problems addressed in the May security update appear to fit that bill.
The first critical issue detailed by Microsoft affects its Exchange Server 2000 and Exchange Server 2003 product versions, which, if left unpatched, could allow attackers to take control of machines remotely and install programs, manipulate data or create new user accounts with full usage privileges, the company said.
Microsoft indicated that the remote code execution vulnerability can be exploited using specially crafted messages that allow computers to become infected when Exchange Server processes an e-mail possessing certain properties related to Microsoft's vCal or iCal calendar features.
The issue specifically affects Exchange users who have downloaded earlier Microsoft product updates, including the Service Pack 3 release for Exchange 2000, as well as Service Pack 1 and Service Pack 2 updates for Exchange 2003.
The second critical vulnerability detailed by Microsoft involves customers using the company's dominant Windows OS along with Macromedia Flash Player from Adobe, which it reported could also allow for remote code execution.
Read the full story on eWEEK.com: Microsoft Patches Two Critical Vulnerabilities