Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
In this articleSecurity Bulletin Microsoft Security Bulletin MS09-003 - CriticalVulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)Published: February 10, 2009 | Updated: May 26, 2009 Version: 3.0 General InformationExecutive SummaryThis security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding. This security update is rated Critical for all supported editions of Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, Microsoft Exchange Server 2007, and Microsoft Exchange Server MAPI Client. For more information, see the subsection, Affected and Non-Affected Software, in this section. The security update addresses the vulnerabilities by modifying the way Microsoft Exchange Server interprets TNEF messages and MAPI commands. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information. Recommendation. Microsoft recommends that customers apply the update immediately. Known Issues. Microsoft Knowledge Base Article 959239 documents the currently known issues that customers may experience when installing this security update, and recommended solutions. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles. Affected and Non-Affected SoftwareThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle. Affected Software
*Includes the Microsoft Exchange System Management Tools for Exchange Server 2003 if the server is also running an active instance of the Exchange service. For more information, see the section, Frequently Asked Questions (FAQ) Related to This Security Update. **Includes 32-bit and x64-based editions ***The Microsoft Exchange Server MAPI Client contains the vulnerable code. In order to be protected from the vulnerabilities described in this bulletin, customers running the Microsoft Exchange Server MAPI Client must update to version 6.5.8069 of the MAPI Client. For more information, see the section, Frequently Asked Questions (FAQ) Related to This Security Update. Why was this bulletin re-released on May 26, 2009? Why was this bulletin re-released on February 16, 2009? Microsoft also revised this bulletin to add several entries to the section, Frequently Asked Questions (FAQ) Related to This Security Update, relating to updating the Microsoft Exchange Server MAPI Client and the Exchange System Management tools. I am using an older version of the Microsoft Exchange Server MAPI Client, how do I update to version 6.5.8069? The update package for the Microsoft Exchange Server MAPI Client also
includes CDO 1.2.1. Is CDO 1.2.1 affected by the vulnerabilities described in this bulletin? How do I know if I have Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1
installed on my system? There are two downloads available from the DownloadCenter for Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 with the same title.
Is there a difference between them? I have Exchange System Management Tools for Exchange Server 2003. Is my system vulnerable? If the Exchange service is disabled, the exploitable attack vectors discussed in this security bulletin are not exposed; however, customers may install the security update for Exchange Server 2003 Service Pack 2 (KB959897) as a defense-in-depth measure. I am a third-party application developer and I recommend that customers install Exchange System Management Tools for Exchange Server 2003 as a prerequisite in order to use my application. How do they update it? I have installed Exchange System Manager for Windows Vista. Is my system vulnerable? Where are the file information details? What is the difference between the servicing models for Microsoft Exchange Server 2007 and Microsoft Exchange Server 2003,
and how does the difference impact the updates in this security bulletin? For a more detailed explanation of the Microsoft Exchange servicing model, please see the Microsoft Exchange Server 2007 product documentation. For questions regarding the new Exchange servicing model, please contact Microsoft Product Support Services. Do I need to install the update rollup
package for Exchange Server 2007-based servers in a particular sequence? If you are a customer of CAS Proxy Deployment Guidance, and if you have deployed CAS-CAS proxying, apply the update rollup to the Internet-facing Client Access servers before you apply the update rollup to the non-Internet-facing Client Access servers. For other Exchange Server 2007 configurations, the order in which you apply the update rollup to the servers is not important. For more information about CAS-CAS proxying, see Understanding Proxying and Redirection. Why does this update address several reported security vulnerabilities? I am using an older release of the software discussed in this security bulletin. What should I do? It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services. Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ. Vulnerability InformationSeverity Ratings and Vulnerability IdentifiersThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary. For more information, see Microsoft Exploitability Index.
Memory Corruption Vulnerability - CVE-2009-0098A remote code execution vulnerability exists in the way Microsoft Exchange Server decodes the Transport Neutral Encapsulation Format (TNEF) data for a message. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0098. Mitigating Factors for Memory Corruption Vulnerability - CVE-2009-0098Microsoft has not identified any mitigating factors for this vulnerability. Workarounds for Memory Corruption Vulnerability - CVE-2009-0098Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
FAQ for Memory Corruption Vulnerability - CVE-2009-0098What is the scope of the vulnerability? What causes the vulnerability? What is TNEF? What might an attacker use the vulnerability to do? How could an attacker exploit the vulnerability? What systems are primarily at risk from the vulnerability? What does the
update do? When this security bulletin was issued, had this vulnerability been publicly disclosed? When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? Literal Processing Vulnerability - CVE-2009-0099A denial of service vulnerability exists in the EMSMDB2 (Electronic Messaging System Microsoft Data Base, 32 bit build) provider because of the way it handles invalid MAPI commands. An attacker could exploit the vulnerability by sending a specially crafted MAPI command to the application using the EMSMDB32 provider. An attacker who successfully exploited this vulnerability could cause the application to stop responding. The denial of service vulnerability also affects the Microsoft Exchange System Attendant since it uses the EMSMDB32 provider. The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange and performs a variety of functions related to the on-going maintenance of the Exchange system. To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0099. Mitigating Factors for Literal Processing Vulnerability - CVE-2009-0099Microsoft has not identified any mitigating factors for this vulnerability. Workarounds for Literal Processing Vulnerability - CVE-2009-0099Microsoft has not identified any workarounds for this vulnerability. FAQ for Literal Processing Vulnerability - CVE-2009-0099What is the scope of the vulnerability? What causes the vulnerability? What is MAPI? What is EMSMDB32? What might an attacker use the vulnerability to do? How could an attacker exploit
the vulnerability? What systems are primarily at risk from the vulnerability? What does the update
do? When this security bulletin was issued, had this vulnerability been publicly disclosed? When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? Update InformationManage the software and security updates you need to deploy to the servers, desktop, and mobile systems in your organization. For more information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update." Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, “MS07-036”), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ. Detection and Deployment Guidance Microsoft has provided detection and deployment guidance for this month’s security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update, such as Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), and the Extended Security Update Inventory Tool. For more information, see Microsoft Knowledge Base Article 910723. Microsoft Baseline Security Analyzer Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer. The following table provides the MBSA detection summary for this security update.
For more information about MBSA 2.1, see MBSA 2.1 Frequently Asked Questions. Note For customers using legacy software not supported by MBSA 2.1, Microsoft Update, and Windows Server Update Services: please visit Microsoft Baseline Security Analyzer and reference the Legacy Product Support section on how to create comprehensive security update detection with legacy tools. Windows Server Update Services By using Windows Server Update Services (WSUS), administrators can deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. Systems Management Server The following table provides the SMS detection and deployment summary for this security update.
For SMS 2.0 and SMS 2003, the SMS SUS Feature Pack (SUSFP), which includes the Security Update Inventory Tool (SUIT), can be used by SMS to detect security updates. See also Downloads for Systems Management Server 2.0. For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications. For more information about the Office Inventory Tool and other scanning tools, see SMS 2003 Software Update Scanning Tools. See also Downloads for Systems Management Server 2003. System Center Configuration Manager 2007 uses WSUS 3.0 for detection of updates. For more information about Configuration Manager 2007 Software Update Management, visit System Center Configuration Manager 2007. For more information about SMS, visit the SMS Web site. For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles. Update Compatibility Evaluator and Application Compatibility Toolkit Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit 5.0. The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment. Security Update DeploymentAffected Software For information about the specific security update for your affected software, click the appropriate link: Microsoft Exchange 2000 Server Service Pack 3Reference Table The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.
Deployment InformationInstalling the Update When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft Exchange hotfix. For more information about the installer, visit the Microsoft TechNet Web site. For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684. This security update supports the following setup switches.
Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. Removing the Update To remove this update, use Add or Remove Programs tool in Control Panel. System administrators can use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$ExchUninstall931832$\Spuninst folder. This security update supports the following setup switches.
Verifying That the Update Has Been Applied
Microsoft Exchange Server 2003 Service Pack 2Reference Table The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.
Deployment InformationInstalling the Update When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft Exchange hotfix. For more information about the installer, visit the Microsoft TechNet Web site. For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684. This security update supports the following setup switches.
Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. Removing the Update To remove this update, use Add or Remove Programs tool in Control Panel. System administrators can use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$ExchUninstall931832$\Spuninst folder. This security update supports the following setup switches.
Verifying That the Update Has Been Applied
Microsoft Exchange Server 2007 (all editions)Reference Table The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.
Deployment InformationInstalling the Update When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft Exchange hotfix. For more information about the installer, visit the Microsoft TechNet Web site. For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684. This security update supports the following setup switches.
Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. Verifying that the Update Has Been Applied
Other InformationAcknowledgmentsMicrosoft thanks the following for working with us to help protect customers:
Microsoft Active Protections Program (MAPP)To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners. Support
DisclaimerThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions
Built at 2014-04-18T13:49:36Z-07:00 What is an officially released software security update intended to repair a vulnerability?Patches are software and operating system (OS) updates that address security vulnerabilities within a program or product.
What is software that is intended to damage or disable?Software designed to destroy, damage, disable, or gain unauthorized access to any computer system, software, or electronic data. Malware is an abbreviation of the term malicious software and is also known as malicious code.
What type of software update is a cumulative package of all patches and features updates?A service pack is a tested, cumulative set of all hotfixes, security updates, critical updates, and other updates. Additionally, service packs may contain additional fixes for problems that are found internally since the release of the product.
What specific process in application development removed a resource that is no longer needed?Resource shrinking: removes unused resources from your packaged app, including unused resources in your app's library dependencies. It works in conjunction with code shrinking such that once unused code has been removed, any resources no longer referenced can be safely removed as well.
|