COLUMN

Inside MSRC: Wisdom on Exchange security

By Christopher Budd 09 May 2006 | SearchSecurity.com Digg This!     StumbleUpon     Del.icio.us

---------------------------------------------------------------------------------------------------------

This month the Microsoft Security Response Center (MSRC) has released three security bulletins. The May security bulletins address vulnerabilities in Microsoft Exchange and Microsoft Windows. Two of the bulletins this month are rated "critical," one each for Exchange and Windows. In addition to the information about the vulnerabilities and addressing them, the Exchange bulletin this month has some information Exchange administrators should be aware of as they plan their deployments.

First, it's important for Exchange administrators running Exchange Server 2003 Service Pack 1 to be aware that this month's Exchange bulletin, MS06-019, contains a security-related change in addition to addressing an Exchange calendar vulnerability. Specifically, it encompasses a change that was introduced into Exchange hotfixes in January 2006. This change provides additional granularity around the "Send As" permission.

About Inside MSRC As part of a special partnership with SearchSecurity.com, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates. Also see: Inside MSRC: Microsoft details Internet Explorer ActiveX update

Before this change, granting the "Full Mailbox Access" permission implicitly granted permission to Send As the mailbox owner. In practice, this meant that another user account with Full Mailbox Access could send messages that appeared as if they were sent by the mailbox owner. After this change, administrators will have to explicitly grant permissions to a user for him or her to be able to send as another user, including users with Full Mailbox Access permissions. We've made this change based on customer feedback and requests: Many customers told us they wanted more granularity in the granting of permissions.

While the more granular permissions provide greater control and flexibility to Exchange administrators, in the interest of best security practices the update does not automatically grant Send As permissions to all accounts with Full Mailbox Access. This means that after this change is applied, any accounts that have Full Mailbox Access that also require Send As permissions will have to be granted that permission explicitly. Microsoft Knowledge Base article 895949 offers more information about the change itself.

A key thing for Exchange administrators to note in terms of deployment planning is that this change can affect some applications that rely on the implicit Send As permission. We have assembled information about the applications that could be affected and what steps customers can take to address the issue in the Microsoft Knowledge Base article 912918.

Because this change is included in MS06-019, when the security update is applied, this security-related change is applied as well. For that reason we encourage Exchange administrators to review the Knowledge Base article noted above as part of the evaluation and testing process before deploying MS06-019. More information is also available in the "frequently asked questions related to this security update" section of the bulletin itself. There you can find information about the update itself including information about other changes, deployment and detection.

From a risk-assessment point of view, MS06-019 addresses a remote code-execution vulnerability in how EXCDO and CDOEX processes certain iCAL and vCAL properties. This means if an attacker were able to send a specially formed message to the Exchange server, he or she could run code in the security context of the operating system.

In addition to MS06-019, we have released one other critical bulletin: MS06-020. This addresses vulnerabilities in Macromedia Flash Player. While Flash Player is made by Adobe Systems Inc., formerly Macromedia Inc., we are releasing this bulletin to share details about versions of Flash Player that have been redistributed by Microsoft. If you have installed Flash Player 7 or higher, we recommend that you download the latest version from the Adobe Web site. In addition to our Microsoft security bulletin MS06-020, there's information available in Macromedia security bulletin MPSB05-07 and Adobe security bulletin APSB06-03.

Our last bulletin this month, MS06-018, addresses a denial–of-service vulnerability in the Microsoft Distributed Transaction Coordinator (MSDTC). Because the denial of service would not affect the entire system (it would only affect the MSDTC and any dependant services), this bulletin is rated "moderate" for Windows 2000. Due to other mitigating factors, it is rated as "low" for all other affected platforms: Microsoft Windows XP and Microsoft Windows Server 2003. Please also note that Microsoft Windows Server 2003 Service Pack 1 is not affected.

In planning deployments, all three bulletins are detected by Microsoft Baseline Security Analyzer (MBSA) 2.0. MBSA 1.2.1 provides detection for both MS06-018 and MS06-019; however, MBSA 1.2.1 customers will need to use the May 2006 Enterprise Update Scanning Tool for MS06-020.

You can deploy all three bulletins using Microsoft Systems Management Server with either the SMS Software Update Services (SUS) Feature Pack or the SMS 2003 Inventory Tool for Microsoft Updates.

You can use Windows Server Update Service (WSUS) to deploy all three bulletins. SUS can be used to deploy the two Windows bulletins: MS06-018 and MS06-020.

Here's one final note regarding deployment: If you have enabled Automatic Updates (AU) for Microsoft Update for your Exchange Server, MS06-019 does require a reboot. This means that an Exchange Server will be automatically rebooted by the AU client once MS06-019 is installed.

As we do each month on the day after the bulletin release, I and one of my colleagues will be hosting a technical webcast to share more information about this month's release and, most important, to answer your questions on the air. This month's webcast is Wednesday, May 10, 2006, at 11 a.m. PDT. You can register for it at http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032294228&EventCategory=4&culture=en-US&CountryCode=US.

For further information, I have also written a TechNet column called "Principles of Patch Management," which outlines Microsoft's principles regarding security updates.

Finally, for those of you who will be joining us next month at TechEd 2006 in Boston, I will be presenting two sessions about the MSRC that might be of interest: "Integrating Your Emergency Response Process With the Microsoft Security Incident Response Process" and "Reading a Microsoft Security Bulletin." I hope you'll be able to join us.

Oh, and don't forget: Our June security bulletin release is scheduled for Tuesday, June 13, 2006.

Tags: Security Patch Management,  Securing Productivity Applications,  Email Security Guidelines, Encryption and Appliances,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Patch Management What patch management metrics does Project Quant use? Squad: Tokenization, Phishing and the Feds Should management processes change based on a patch release schedule? Should Windows Mobile updates come from Microsoft? Adobe updates ColdFusion, JRun, Flex Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat How to manage patches for Adobe Securing Productivity Applications How to secure a .pdf file How do hackers bypass a code signing procedure to inject malware Quiz: How to build secure applications How to detect software tampering Adobe fixes 29 flaws in Acrobat, Reader Adobe warns of critical update for Reader, Acrobat 9.1.3 Why should we place data files on a separate partition than the OS? Adobe updates ColdFusion, JRun, Flex Serious Adobe Flash flaw being exploited Adobe acknowledges serious Flash zero-day vulnerability Email Security Guidelines, Encryption and Appliances How to confirm the receipt of an email with security protocols Best Email Security Products Can an IP spoofing tool be used to spam SPF servers? WatchGuard acquires email and Web security vendor BorderWare McAfee to acquire email SaaS vendor MX Logic What does 'invoked by uid 78' mean? How to configure firewall ports for webmail system implementation Fierce competition prompted new Cisco email security options Cisco brings email security appliances closer to SaaS Cisco offers more email security choices, but lacks vision

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary