Microsoft just released the MS06-019 security bulletin, disclosing the existence of remote code execution vulnerability in Exchange 2000 and 2003.

The vulnerability is rated as Critical. It may be anonymously exploited through the submission of a specifically crafted message. A successful attacker could be able to take control of the affected system.

Based on the bulletin details, the problem originates from the handling of iCard and vCard MIME content types. So far, there are no exploits or proof of concept code in the wild. Nevertheless now that the existence of the vulnerability is public, maleware developers are likely to look for ways to deliver an exploit.

Apart for eliminating the vulnerability, the fix also causes changes in granting of mailbox access rights. This concerns the permission necessary for sending emails on behalf of another mailbox owner. As highlighted in an earlier article the change may lead to mailbox access problems.

This important change was announced a few months ago. Now with MS06-019 there is little choice other than moving ahead with the update. In this manner both the vulnerability fix and the changes in mailbox access are deployed. Microsoft released a very detailed KB article (see references) explaining the changes and how to resolve any consequent loss in mailbox access. Check this to ensure a smooth adoption of this fix.

References

Microsoft Security Bulletin MS06-019

Changes in Mailbox Access Rights May Stop Exchange Applications

Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003