WinDeveloper IMF Tune

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • Security
  • Is MS05-048 an Important or Critical Exchange Security Update?

Is MS05-048 an Important or Critical Exchange Security Update?

Alexander Zammit

Alexander Zammit Photo

Alexander Zammit has been developing server applications for over 15 years. Most of his works involve Exchange integrated applications, including a FAX server, a mail security product and anti-spam products.

  • Published: Oct 12, 2005
  • Category: Security
  • Votes: none - none
Cast your Vote
Poor Excellent

The severity of bulletin MS05-048 CDO Remote Code Execution vulnerability is being classified as Important. Nevertheless this in reality is a Critical update for many Exchange 2000 Organizations.

Microsoft just released the MS05-048 security bulletin. This discloses the existence of a vulnerability within Microsoft Collaboration Data Objects (CDO) and provides the necessary fix. Software affected includes the Windows 2003, 2000, XP platforms and Exchange 2000. Exchange 2003 and Exchange 5.5 are not affected.

The vulnerability exposes affected systems to the risk of a remote code execution exploit. If successful, an attacker would be able to completely take over the machine.

The attack may be carried out anonymously by submitting a specially crafted email. For the attack to be successful some application must processes this email through CDO (cdosys.dll or codex.dll).

The official severity rating for MS05-048 is set to Important. This is mainly due to the fact that Exchange 2000 itself does not rely on these interfaces. Furthermore Windows 2003 platforms do not install IIS6 by default, rendering them even less vulnerable.

Nevertheless Exchange 2000 administrators should be very careful. The CDO interfaces are commonly used in Exchange extension products. If you are running any third party applications, chances are that you are exposed to this vulnerability. Just to give you an idea, many Exchange integrated anti-virus and anti-spam solutions commonly rely on CDO.

The Bulletin also proposes two workarounds against which I also have to warn you. Basically the workarounds involve either disabling third party event sinks or un-registering the CDO interface DLLs. Before considering these options please ask yourself the following:

  1. What type of third party applications are running on the server?
  2. Are these applications providing security or some other critical services?
  3. How will the installed applications relying on CDO react to such a change? Will these fail gracefully?

If for example you are running anti-virus protection and this relies on CDO, then you should rely be thinking twice. What is a graceful failure for anti-virus? These applications normally have to play-safe. So blocking the email flow altogether might sound like the right thing to do. What if you disable the sink and all emails go through un-scanned? You will agree with me, that is worst than being exposed to the exploit!

So my conclusion is to skip over the workarounds and apply the fix ASAP.

References

MS05-048 - Vulnerability in the Microsoft Collaboration Data Objects Could Allow Remote Code Execution (907245)

Copyright © 2005 - 2016 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation