News Stay informed about the latest enterprise technology news and product updates.

Inside MSRC: Wisdom on Exchange security

Microsoft's trio of May security bulletins includes a critical update for Exchange. The Microsoft Security Response Center's Christopher Budd explains why that particular bulletin may be more complex than it appears.


This month the Microsoft Security Response Center (MSRC) has released three security bulletins. The May security bulletins address vulnerabilities in Microsoft Exchange and Microsoft Windows. Two of the bulletins this month are rated "critical," one each for Exchange and Windows. In addition to the information about the vulnerabilities and addressing them, the Exchange bulletin this month has some information Exchange administrators should be aware of as they plan their deployments.

First, it's important for Exchange administrators running Exchange Server 2003 Service Pack 1 to be aware that this month's Exchange bulletin, MS06-019, contains a security-related change in addition to addressing an Exchange calendar vulnerability. Specifically, it encompasses a change that was introduced into Exchange hotfixes in January 2006. This change provides additional granularity around the "Send As" permission.

About Inside MSRC

As part of a special partnership with, Christopher Budd, security program manager for the Microsoft Security Response Center (MSRC), offers an inside look at the process that leads up to "Patch Tuesday" and guidance to help security professionals make the most out of the software giant's security updates.

Also see:
Inside MSRC: Microsoft details Internet Explorer ActiveX update

Before this change, granting the "Full Mailbox Access" permission implicitly granted permission to Send As the mailbox owner. In practice, this meant that another user account with Full Mailbox Access could send messages that appeared as if they were sent by the mailbox owner. After this change, administrators will have to explicitly grant permissions to a user for him or her to be able to send as another user, including users with Full Mailbox Access permissions. We've made this change based on customer feedback and requests: Many customers told us they wanted more granularity in the granting of permissions.

While the more granular permissions provide greater control and flexibility to Exchange administrators, in the interest of best security practices the update does not automatically grant Send As permissions to all accounts with Full Mailbox Access. This means that after this change is applied, any accounts that have Full Mailbox Access that also require Send As permissions will have to be granted that permission explicitly. Microsoft Knowledge Base article 895949 offers more information about the change itself.

A key thing for Exchange administrators to note in terms of deployment planning is that this change can affect some applications that rely on the implicit Send As permission. We have assembled information about the applications that could be affected and what steps customers can take to address the issue in the Microsoft Knowledge Base article 912918.

Because this change is included in MS06-019, when the security update is applied, this security-related change is applied as well. For that reason we encourage Exchange administrators to review the Knowledge Base article noted above as part of the evaluation and testing process before deploying MS06-019. More information is also available in the "frequently asked questions related to this security update" section of the bulletin itself. There you can find information about the update itself including information about other changes, deployment and detection.

From a risk-assessment point of view, MS06-019 addresses a remote code-execution vulnerability in how EXCDO and CDOEX processes certain iCAL and vCAL properties. This means if an attacker were able to send a specially formed message to the Exchange server, he or she could run code in the security context of the operating system.

In addition to MS06-019, we have released one other critical bulletin: MS06-020. This addresses vulnerabilities in Macromedia Flash Player. While Flash Player is made by Adobe Systems Inc., formerly Macromedia Inc., we are releasing this bulletin to share details about versions of Flash Player that have been redistributed by Microsoft. If you have installed Flash Player 7 or higher, we recommend that you download the latest version from the Adobe Web site. In addition to our Microsoft security bulletin MS06-020, there's information available in Macromedia security bulletin MPSB05-07 and Adobe security bulletin APSB06-03.

Our last bulletin this month, MS06-018, addresses a denial–of-service vulnerability in the Microsoft Distributed Transaction Coordinator (MSDTC). Because the denial of service would not affect the entire system (it would only affect the MSDTC and any dependant services), this bulletin is rated "moderate" for Windows 2000. Due to other mitigating factors, it is rated as "low" for all other affected platforms: Microsoft Windows XP and Microsoft Windows Server 2003. Please also note that Microsoft Windows Server 2003 Service Pack 1 is not affected.

In planning deployments, all three bulletins are detected by Microsoft Baseline Security Analyzer (MBSA) 2.0. MBSA 1.2.1 provides detection for both MS06-018 and MS06-019; however, MBSA 1.2.1 customers will need to use the May 2006 Enterprise Update Scanning Tool for MS06-020.

You can deploy all three bulletins using Microsoft Systems Management Server with either the SMS Software Update Services (SUS) Feature Pack or the SMS 2003 Inventory Tool for Microsoft Updates.

You can use Windows Server Update Service (WSUS) to deploy all three bulletins. SUS can be used to deploy the two Windows bulletins: MS06-018 and MS06-020.

Here's one final note regarding deployment: If you have enabled Automatic Updates (AU) for Microsoft Update for your Exchange Server, MS06-019 does require a reboot. This means that an Exchange Server will be automatically rebooted by the AU client once MS06-019 is installed.

As we do each month on the day after the bulletin release, I and one of my colleagues will be hosting a technical webcast to share more information about this month's release and, most important, to answer your questions on the air. This month's webcast is Wednesday, May 10, 2006, at 11 a.m. PDT. You can register for it at

For further information, I have also written a TechNet column called "Principles of Patch Management," which outlines Microsoft's principles regarding security updates.

Finally, for those of you who will be joining us next month at TechEd 2006 in Boston, I will be presenting two sessions about the MSRC that might be of interest: "Integrating Your Emergency Response Process With the Microsoft Security Incident Response Process" and "Reading a Microsoft Security Bulletin." I hope you'll be able to join us.

Oh, and don't forget: Our June security bulletin release is scheduled for Tuesday, June 13, 2006.

Dig Deeper on Microsoft Patch Tuesday and patch management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.