Microsoft Security Bulletin MS09-003 - Critical
Vulnerabilities in Microsoft Exchange Could Allow Remote Code Execution (959239)
Published: | Updated:
Version: 3.0
General Information
Executive Summary
This security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.
This security update is rated Critical for all supported editions of Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, Microsoft Exchange Server 2007, and Microsoft Exchange Server MAPI Client. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by modifying the way Microsoft Exchange Server interprets TNEF messages and MAPI commands. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. Microsoft Knowledge Base Article 959239 documents the currently known issues that customers may experience when installing this security update, and recommended solutions. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.
Affected and Non-Affected Software
The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Microsoft Server Software | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by this Update |
|---|---|---|---|
| Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004 (KB959897) | Remote Code Execution | Critical | None |
| Microsoft Exchange Server 2003 Service Pack 2* (KB959897) | Remote Code Execution | Critical | None (See Update FAQ for additional details) |
| Microsoft Exchange Server 2007 Service Pack 1** (KB959241) | Remote Code Execution | Critical | MS08-039 |
| Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1*** | Remote Code Execution | Critical | None |
*Includes the Microsoft Exchange System Management Tools for Exchange Server 2003 if the server is also running an active instance of the Exchange service. For more information, see the section, Frequently Asked Questions (FAQ) Related to This Security Update.
**Includes 32-bit and x64-based editions
***The Microsoft Exchange Server MAPI Client contains the vulnerable code. In order to be protected from the vulnerabilities described in this bulletin, customers running the Microsoft Exchange Server MAPI Client must update to version 6.5.8069 of the MAPI Client. For more information, see the section, Frequently Asked Questions (FAQ) Related to This Security Update.
Frequently Asked Questions (FAQ) Related to This Security Update
Why was this bulletin re-released on May 26, 2009?
Microsoft revised this security bulletin to announce a detection change for this security update. As a result of the correction, the detection now offers the Microsoft Exchange Server 2003 Service Pack 2 (KB959897) update to systems running the Exchange System Management Tools for Exchange Server 2003 on which no active instance of the Exchange service is running. Previously, this configuration was not offered the security update. Customers who have already installed the KB959897 update successfully on these systems do not need to reinstall the update.
Why was this bulletin re-released on February 16, 2009?
Microsoft re-released this bulletin to add the Microsoft Exchange Server MAPI Client as affected software. No other update packages are affected by this re-release. Customers running all other supported and affected versions of Microsoft Exchange Server who have already successfully applied the original security update packages do not need to take any further action with those original update packages.
Microsoft also revised this bulletin to add several entries to the section, Frequently Asked Questions (FAQ) Related to This Security Update, relating to updating the Microsoft Exchange Server MAPI Client and the Exchange System Management tools.
I am using an older version of the Microsoft Exchange Server MAPI Client, how do I update to version 6.5.8069?
Microsoft has provided a free update for Microsoft Exchange Server MAPI Client users to version 6.5.8069 available on the Download Center. As a result, all customers using an older version of the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 package should update to version 6.5.8069 to be protected from the vulnerabilities described in this bulletin.
The update package for the Microsoft Exchange Server MAPI Client also includes CDO 1.2.1. Is CDO 1.2.1 affected by the vulnerabilities described in this bulletin?
The download for the Microsoft Exchange Server MAPI Client also includes the package for Collaboration Data Objects (CDO) 1.2.1. The CDO 1.2.1 package is not affected by the vulnerabilities described in this bulletin. The package is included in the download for your convenience.
How do I know if I have Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 installed on my system?
In Control Panel, check the Add or Remove Programs tool (Windows Server 2003 and earlier) or Programs and Features (Windows Vista and Windows Server 2008) for the entry, "Messaging API and Collaboration Data Objects 1.2.1."
There are two downloads available from the DownloadCenter for Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 with the same title. Is there a difference between them?
No, there is no difference. The MAPI Client can be downloaded from either of the following pages:
Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1
Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1
I have Exchange System Management Tools for Exchange Server 2003. Is my system vulnerable?
The Exchange System Management Tools for Exchange Server 2003 contains the vulnerable code; however, the code can only be exploited if the server is also running an active instance of the Exchange service. Therefore, customers, who are running only the Exchange System Management Tools for Exchange Server 2003 and have an active instance of the Exchange service enabled, should install the security update for Exchange Server 2003 Service Pack 2 (KB959897) to be protected from the vulnerabilities described in this bulletin.
If the Exchange service is disabled, the exploitable attack vectors discussed in this security bulletin are not exposed; however, customers may install the security update for Exchange Server 2003 Service Pack 2 (KB959897) as a defense-in-depth measure.
I am a third-party application developer and I recommend that customers install Exchange System Management Tools for Exchange Server 2003 as a prerequisite in order to use my application. How do they update it?
Customers who are running only the Exchange System Management Tools for Exchange Server 2003 can install the security update for Exchange Server 2003 Service Pack 2 (KB959897) to be protected from the vulnerabilities described in this bulletin.
I have installed Exchange System Manager for Windows Vista. Is my system vulnerable?
The Exchange System Manager for Windows Vista is a download available for running the Exchange System Manager for Exchange Server 2003 on the Windows Vista operating system. Although, the Exchange System Manager for Windows Vista is not affected by the vulnerabilities described in this bulletin, the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 is a prerequisite for installing the Exchange System Manager for Windows Vista. As a result, customers running the Exchange System Manager for Windows Vista should ensure the Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 running on their system is updated to the latest version.
Where are the file information details?
The file information details can be found in Microsoft Knowledge Base Article 959239.
What is the difference between the servicing models for Microsoft Exchange Server 2007 and Microsoft Exchange Server 2003, and how does the difference impact the updates in this security bulletin?
With the release of Microsoft Exchange Server 2007, Microsoft Exchange has moved to a new servicing model based on customer feedback and consistency with other Microsoft product servicing models. Exchange Server 2007 updates are cumulative at both the offered update level and at the individual file level, while Exchange Server 2003 updates are cumulative at the file level only.
For a more detailed explanation of the Microsoft Exchange servicing model, please see the Microsoft Exchange Server 2007 product documentation. For questions regarding the new Exchange servicing model, please contact Microsoft Product Support Services.
Do I need to install the update rollup package for Exchange Server 2007-based servers in a particular sequence?
Our test infrastructure helps guarantee that our updates work among multiple server roles. Therefore, you do not have to apply an update rollup package in a required order to the Exchange servers that are running different roles. However, you should apply an update rollup package to each Exchange Server 2007-based server in your environment. This is true because the update rollups are not divided for use with different Exchange roles or for use with particular file configurations.
If you are a customer of CAS Proxy Deployment Guidance, and if you have deployed CAS-CAS proxying, apply the update rollup to the Internet-facing Client Access servers before you apply the update rollup to the non-Internet-facing Client Access servers. For other Exchange Server 2007 configurations, the order in which you apply the update rollup to the servers is not important.
For more information about CAS-CAS proxying, see Understanding Proxying and Redirection.
Why does this update address several reported security vulnerabilities?
This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.
Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary. For more information, see Microsoft Exploitability Index.
| Affected Software | Memory Corruption Vulnerability - CVE-2009-0098 | Literal Processing Vulnerability - CVE-2009-0099 | Aggregate Severity Rating |
|---|---|---|---|
| Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004 | Critical Remote Code Execution | Important Denial of Service | Critical |
| Microsoft Exchange Server 2003 Service Pack 2 | Critical Remote Code Execution | Important Denial of Service | Critical |
| Microsoft Exchange Server 2007 Service Pack 1 | Critical Remote Code Execution | Not applicable | Critical |
| Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 | Critical Remote Code Execution | Important Denial of Service | Critical |
Memory Corruption Vulnerability - CVE-2009-0098
A remote code execution vulnerability exists in the way Microsoft Exchange Server decodes the Transport Neutral Encapsulation Format (TNEF) data for a message.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0098.
Mitigating Factors for Memory Corruption Vulnerability - CVE-2009-0098
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds for Memory Corruption Vulnerability - CVE-2009-0098
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
- Block MS-TNEF on Microsoft Exchange Server to help protect against attempts to exploit this vulnerability through SMTP e-mail
Blocking the application/ms-tnef MIME content type, could help protect Exchange servers and other affected programs from attempts to exploit this vulnerability if customers cannot install the available security update.
Systems can be configured to block certain types of files from being received as e-mail attachments. Microsoft TNEF-encoded e-mail messages, commonly known as rich text format (RTF) e-mail messages, can contain malicious OLE objects. These e-mail messages contain a file attachment that stores the TNEF information. This file attachment is usually named Winmail.dat. Blocking this file, and blocking the ms-tnef MIME type, could help protect Exchange servers and other affected programs from attempts to exploit this vulnerability if customers cannot install the available security update. To help protect an Exchange Server computer from attacks through SMTP, block the Winmail.dat file and all application/ms-tnef MIME type content before it reaches the Exchange Server computer.
Note You cannot mitigate this vulnerability by setting the Exchange rich-text format option in Exchange Server to Never used or by disabling TNEF processing by editing the registry.
Note Exchange supports other messaging protocols, such as X.400, that these workarounds do not protect. We recommend that administrators require authentication on all other client and message transport protocols to help prevent attacks using these protocols.
Note Filtering only for attachments that have the file name Winmail.dat may not be sufficient to help protect your system. A malicious file attachment could be given another file name that could then be processed by the Exchange Server computer. To help protect against malicious e-mail message’s, block all application/ms-tnef MIME type content.
There are many ways to block the Winmail.dat file and other TNEF content. Here are some suggestions:
- You can use ISA Server 2000 SMTP Message Screener to block all file attachments or to block only the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2000 because ISA Server 2000 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 315132.
- You can use ISA Server 2000 SMTP Filter to block all file attachments or to block only the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2000 because ISA Server 2000 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 320703.
- You can use ISA Server 2004 SMTP Filter and Message Screener block all file attachments or just the Winmail.dat file. Blocking all file attachments provides the most protection for this issue if you use ISA Server 2004 because ISA Server 2004 does not support blocking content based on MIME content types. For more information, see Microsoft Knowledge Base Article 888709.
- You can use attachment filtering in Microsoft Exchange Server 2007 to apply filters at the server level to control the attachments that users receive. See Attachment Filtering for more information.
- You can use third-party e-mail filters to block all application/ms-tnef MIME type content before it is sent to the Exchange Server computer or to a vulnerable application.
Impact of workaround: If TNEF attachments are blocked, e-mail messages that are formatted as RTF will not be received correctly. In some cases, users could receive blank e-mail messages instead of the original RTF-formatted e-mail message. In other cases, users may not receive e-mail messages that are formatted as RTF at all. Blocking the TNEF attachments will not affect e-mail messages that are formatted as HTML or that are formatted as plain text.
FAQ for Memory Corruption Vulnerability - CVE-2009-0098
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges when a user opens or previews a specially crafted e-mail message sent in TNEF format or when the Microsoft Exchange Server Information Store processes the specially crafted message. An attacker could then install programs; view, change, or delete data; or create new accounts.
What causes the vulnerability?
Exchange server does not properly decode a message received in TNEF format.
What is TNEF?
Transport Neutral Encapsulation (TNEF) is a format used by the Microsoft Exchange Server when sending messages formatted as Rich Text Format (RTF). When Microsoft Exchange is sending a message to another Microsoft e-mail client, it extracts all the formatting information and encodes it in a special TNEF block. It then sends the message in two parts: the text message with the formatting removed, and the formatting instructions in the TNEF block. On the receiving side, a Microsoft e-mail client processes the TNEF block and re-formats the message.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. An attacker could then install programs; view, change, or delete data; or create new accounts.
How could an attacker exploit the vulnerability?
An attacker could exploit the vulnerability by sending a specially crafted TNEF message to a Microsoft Exchange Server.
What systems are primarily at risk from the vulnerability?
Microsoft Exchange Servers are at risk.
What does the update do?
The update corrects the way that Microsoft Exchange Server interprets specific TNEF properties.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Literal Processing Vulnerability - CVE-2009-0099
A denial of service vulnerability exists in the EMSMDB2 (Electronic Messaging System Microsoft Data Base, 32 bit build) provider because of the way it handles invalid MAPI commands. An attacker could exploit the vulnerability by sending a specially crafted MAPI command to the application using the EMSMDB32 provider. An attacker who successfully exploited this vulnerability could cause the application to stop responding.
The denial of service vulnerability also affects the Microsoft Exchange System Attendant since it uses the EMSMDB32 provider. The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange and performs a variety of functions related to the on-going maintenance of the Exchange system.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2009-0099.
Mitigating Factors for Literal Processing Vulnerability - CVE-2009-0099
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds for Literal Processing Vulnerability - CVE-2009-0099
Microsoft has not identified any workarounds for this vulnerability.
FAQ for Literal Processing Vulnerability - CVE-2009-0099
What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding.
What causes the vulnerability?
The vulnerability is caused by Microsoft Exchange Server incorrectly handling a command in the EMSMDB32 provider.
What is MAPI?
MAPI is a set of functions that mail-enabled and mail-aware applications use to create, manipulate, transfer, and store mail messages. It gives application developers the tools to define the purpose and content of mail messages and gives them flexibility in their management of stored mail messages. MAPI also provides a common interface that application developers can use to create mail-enabled and mail-aware applications independent of the underlying messaging system. See the MFC Library Reference for MAPI for more information.
What is EMSMDB32?
Electronic Messaging System Microsoft Data Base, 32 bit build (EMSMDB32) provider refers to the Exchange Transport provider which implements both a transport and a message store provider for MAPI. It provides the ability to submit messages to Exchange Server and to read (and possible write) messages to an Exchange store. See How Outlook, CDO, MAPI, and Providers Work Together for more information on how MAPI and providers work together.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the application or service using the EMSMDB32 provider to stop responding. One of the services that could stop responding is the Microsoft Exchange System Attendant service, since it uses the EMSMDB32 provider. The Microsoft Exchange System Attendant performs a variety of functions related to the on-going maintenance and processing of the Exchange system such as the generation of address lists, offline address books and directory lookup facilities. These tasks will be affected if the Exchange System Attendant service stops working.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by sending a specially crafted MAPI command to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the mail service to stop responding.
What systems are primarily at risk from the vulnerability?
Exchange server systems utilizing the EMSMDB provider are primarily at risk from this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that Microsoft Exchange Server handles malformed MAPI commands.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Update Information
Detection and Deployment Tools and Guidance
Manage the software and security updates you need to deploy to the servers, desktop, and mobile systems in your organization. For more information see the TechNet Update Management Center. The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Security updates are available from Microsoft Update, Windows Update, and Office Update. Security updates are also available from the Microsoft Download Center. You can find them most easily by doing a keyword search for "security update."
Finally, security updates can be downloaded from the Microsoft Update Catalog. The Microsoft Update Catalog provides a searchable catalog of content made available through Windows Update and Microsoft Update, including security updates, drivers and service packs. By searching using the security bulletin number (such as, “MS07-036”), you can add all of the applicable updates to your basket (including different languages for an update), and download to the folder of your choosing. For more information about the Microsoft Update Catalog, see the Microsoft Update Catalog FAQ.
Detection and Deployment Guidance
Microsoft has provided detection and deployment guidance for this month’s security updates. This guidance will also help IT professionals understand how they can use various tools to help deploy the security update, such as Windows Update, Microsoft Update, Office Update, the Microsoft Baseline Security Analyzer (MBSA), the Office Detection Tool, Microsoft Systems Management Server (SMS), and the Extended Security Update Inventory Tool. For more information, see Microsoft Knowledge Base Article 910723.
Microsoft Baseline Security Analyzer
Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For more information about MBSA, visit Microsoft Baseline Security Analyzer.
The following table provides the MBSA detection summary for this security update.
| Software | MBSA 2.1 |
|---|---|
| Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004 | Yes |
| Microsoft Exchange Server 2003 Service Pack 2 | Yes |
| Microsoft Exchange Server 2007 Service Pack 1 | Yes |
| Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 | No |
For more information about MBSA 2.1, see MBSA 2.1 Frequently Asked Questions.
Note For customers using legacy software not supported by MBSA 2.1, Microsoft Update, and Windows Server Update Services: please visit Microsoft Baseline Security Analyzer and reference the Legacy Product Support section on how to create comprehensive security update detection with legacy tools.
Windows Server Update Services
By using Windows Server Update Services (WSUS), administrators can deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site.
Systems Management Server
The following table provides the SMS detection and deployment summary for this security update.
| Software | SMS 2.0 | SMS 2003 with SUSFP | SMS 2003 with ITMU | Configuration Manager 2007 |
|---|---|---|---|---|
| Microsoft Exchange 2000 Server Service Pack 3 with the Update Rollup of August 2004 | Yes | Yes | Yes | No |
| Microsoft Exchange Server 2003 Service Pack 2 | Yes | Yes | Yes | Yes |
| Microsoft Exchange Server 2007 Service Pack 1 | No | No | Yes | Yes |
| Microsoft Exchange Server MAPI Client and Collaboration Data Objects 1.2.1 | No | No | No | No |
For SMS 2.0 and SMS 2003, the SMS SUS Feature Pack (SUSFP), which includes the Security Update Inventory Tool (SUIT), can be used by SMS to detect security updates. See also Downloads for Systems Management Server 2.0.
For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates (ITMU) can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 ITMU, see SMS 2003 Inventory Tool for Microsoft Updates. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications. For more information about the Office Inventory Tool and other scanning tools, see SMS 2003 Software Update Scanning Tools. See also Downloads for Systems Management Server 2003.
System Center Configuration Manager 2007 uses WSUS 3.0 for detection of updates. For more information about Configuration Manager 2007 Software Update Management, visit System Center Configuration Manager 2007.
For more information about SMS, visit the SMS Web site.
For more detailed information, see Microsoft Knowledge Base Article 910723: Summary list of monthly detection and deployment guidance articles.
Update Compatibility Evaluator and Application Compatibility Toolkit
Updates often write to the same files and registry settings required for your applications to run. This can trigger incompatibilities and increase the time it takes to deploy security updates. You can streamline testing and validating Windows updates against installed applications with the Update Compatibility Evaluator components included with Application Compatibility Toolkit 5.0.
The Application Compatibility Toolkit (ACT) contains the necessary tools and documentation to evaluate and mitigate application compatibility issues before deploying Microsoft Windows Vista, a Windows Update, a Microsoft Security Update, or a new version of Windows Internet Explorer in your environment.
Security Update Deployment
Affected Software
For information about the specific security update for your affected software, click the appropriate link:
Microsoft Exchange 2000 Server Service Pack 3
Reference Table
The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.
| Inclusion in Future Service Packs | There are no more service packs planned for this software. The update for this issue may be included in a future update rollup. |
| Deployment | |
| Installing without user intervention | For Microsoft Exchange 2000 Server Service Pack 3: Exchange2000-KB959897-x86-ENU /quiet |
| Installing without restarting | For Microsoft Exchange 2000 Server Service Pack 3: Exchange2000-KB959897-x86-ENU /norestart |
| Update log file | kb959897.log |
| Further information | For detection and deployment, see the earlier section, Detection and Deployment Tools and Guidance. |
| Restart Requirement | |
| Restart required? | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Hotpatching | Not applicable |
| Removal Information | For Microsoft Exchange 2000 Server Service Pack 3: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility located in the %Windir%\$ExchUninstallKB959897$\Spuninst folder |
| File Information | See Microsoft Knowledge Base Article 959239 |
| Registry Key Verification | For Microsoft Exchange 2000 Server Service Pack 3: HKEY_LOCAl_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2000\SP4\KB959897\Filelist |
Deployment Information
Installing the Update
When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft Exchange hotfix.
For more information about the installer, visit the Microsoft TechNet Web site.
For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.
This security update supports the following setup switches.
| Switch | Description |
|---|---|
| /help | Displays the command-line options. |
| Setup Modes | |
| /passive | Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds. |
| /quiet | Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. |
| Restart Options | |
| /norestart | Does not restart when installation has completed. |
| /forcerestart | Restarts the computer after installation and force other applications to close at shutdown without saving open files first. |
| /warnrestart[:x] | Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. |
| /promptrestart | Displays a dialog box prompting the local user to allow a restart. |
| Special Options | |
| /overwriteoem | Overwrites OEM files without prompting. |
| /nobackup | Does not back up files needed for uninstall. |
| /forceappsclose | Forces other programs to close when the computer shuts down. |
| /log:path | Allows the redirection of installation log files. |
| /extract[:path] | Extracts files without starting the Setup program. |
| /ER | Enables extended error reporting. |
| /verbose | Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly. |
Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.
Removing the Update
To remove this update, use Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$ExchUninstall931832$\Spuninst folder.
This security update supports the following setup switches.
| Switch | Description |
|---|---|
| /help | Displays the command-line options. |
| Setup Modes | |
| /passive | Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds. |
| /quiet | Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. |
| Restart Options | |
| /norestart | Does not restart when installation has completed. |
| /forcerestart | Restarts the computer after installation and force other applications to close at shutdown without saving open files first. |
| /warnrestart[:x] | Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. |
| /promptrestart | Displays a dialog box prompting the local user to allow a restart. |
| Special Options | |
| /forceappsclose | Forces other programs to close when the computer shuts down. |
| /log:path | Allows the redirection of installation log files. |
Verifying That the Update Has Been Applied
- Microsoft Baseline Security Analyzer
To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.
- File Version Verification
Because there are several versions and editions of Microsoft Exchange, the following steps may be different on your system. If they are, see your product documentation to complete these steps.
- Click Start, and then click Search.
- In the Search Results pane, click All files and folders under Search Companion.
- In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
- In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed. - On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
- Registry Key Verification
You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.
These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.
Microsoft Exchange Server 2003 Service Pack 2
Reference Table
The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.
| Inclusion in Future Service Packs | There are no more service packs planned for this software. The update for this issue may be included in a future update rollup. |
| Deployment | |
| Installing without user intervention | For Microsoft Exchange Server 2003 Service Pack 2: Exchange2003-kb959897-x86-enu /quiet |
| Installing without restarting | For Microsoft Exchange Server 2003 Service Pack 2: Exchange2003-kb959897-x86-enu /norestart |
| Update log file | kb959897.log |
| Further information | For detection and deployment, see the earlier section, Detection and Deployment Tools and Guidance. |
| Restart Requirement | |
| Restart required? | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Hotpatching | Not applicable |
| Removal Information | For Microsoft Exchange Server 2003 Service Pack 2: Use Add or Remove Programs tool in Control Panel or the Spuninst.exe utility located in the %Windir%\$ExchUninstallKB959897$\Spuninst folder |
| File Information | See Microsoft Knowledge Base Article 959239 |
| Registry Key Verification | For Microsoft Exchange Server 2003 Service Pack 2: HKEY_LOCAl_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2003\SP3\KB959897\Filelist |
Deployment Information
Installing the Update
When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft Exchange hotfix.
For more information about the installer, visit the Microsoft TechNet Web site.
For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.
This security update supports the following setup switches.
| Switch | Description |
|---|---|
| /help | Displays the command-line options. |
| Setup Modes | |
| /passive | Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds. |
| /quiet | Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. |
| Restart Options | |
| /norestart | Does not restart when installation has completed. |
| /forcerestart | Restarts the computer after installation and force other applications to close at shutdown without saving open files first. |
| /warnrestart[:x] | Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. |
| /promptrestart | Displays a dialog box prompting the local user to allow a restart. |
| Special Options | |
| /overwriteoem | Overwrites OEM files without prompting. |
| /nobackup | Does not back up files needed for uninstall. |
| /forceappsclose | Forces other programs to close when the computer shuts down. |
| /log:path | Allows the redirection of installation log files. |
| /extract[:path] | Extracts files without starting the Setup program. |
| /ER | Enables extended error reporting. |
| /verbose | Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly. |
Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.
Removing the Update
To remove this update, use Add or Remove Programs tool in Control Panel.
System administrators can use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$ExchUninstall931832$\Spuninst folder.
This security update supports the following setup switches.
| Switch | Description |
|---|---|
| /help | Displays the command-line options. |
| Setup Modes | |
| /passive | Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds. |
| /quiet | Quiet mode. This is the same as unattended mode, but no status or error messages are displayed. |
| Restart Options | |
| /norestart | Does not restart when installation has completed. |
| /forcerestart | Restarts the computer after installation and force other applications to close at shutdown without saving open files first. |
| /warnrestart[:x] | Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch. |
| /promptrestart | Displays a dialog box prompting the local user to allow a restart. |
| Special Options | |
| /forceappsclose | Forces other programs to close when the computer shuts down. |
| /log:path | Allows the redirection of installation log files. |
Verifying That the Update Has Been Applied
- Microsoft Baseline Security Analyzer
To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.
- File Version Verification
Because there are several versions and editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.
- Click Start, and then click Search.
- In the Search Results pane, click All files and folders under Search Companion.
- In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.
- In the list of files, right-click a file name from the appropriate file information table, and then click Properties.
Note Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed. - On the Version tab, determine the version of the file that is installed on your system by comparing it to the version that is documented in the appropriate file information table.
Note Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.
- Registry Key Verification
You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.
These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.
Microsoft Exchange Server 2007 (all editions)
Reference Table
The following table contains the security update information for this software. You can find additional information in the subsection, Deployment Information, in this section.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
| Deployment | |
| Installing without user intervention | For Microsoft Exchange Server 2007 Service Pack 1: Exchange2007-KB959241-x64-EN /quiet Exchange2007-KB959241-x86-EN /quiet |
| Installing without restarting | For Microsoft Exchange Server 2007 Service Pack 1: Exchange2007-KB959241-x64-en /norestart Exchange2007-KB959241-x86-EN /norestart |
| Update log file | For Microsoft Exchange Server 2007 Service Pack 1: KB959241.log |
| Further information | For detection and deployment, see the earlier section, Detection and Deployment Tools and Guidance. |
| Restart Requirement | |
| Restart required? | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Hotpatching | Not applicable |
| Removal Information | Use Add or Remove Programs tool in Control Panel. |
| File Information | See Microsoft Knowledge Base Article 959239 |
| Registry Key Verification | For Microsoft Exchange Server 2007 Service Pack 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2007\SP2\KB959241 |
Deployment Information
Installing the Update
When you install this security update, the installer checks whether one or more of the files that are being updated on your system have previously been updated by a Microsoft Exchange hotfix.
For more information about the installer, visit the Microsoft TechNet Web site.
For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.
This security update supports the following setup switches.
| Switch | Description |
|---|---|
| /help | Displays the command-line options. |
| Setup Modes | |
| /q[n|b|r|f] or /quiet | Sets user interface level. n - No user interaction b - Basic user interaction r - Reduced user interaction f - Full user interaction (default) |
| Restart Options | |
| /norestart | Does not restart when installation has completed. |
| /forcerestart | Restarts the computer after installation and force other applications to close at shutdown without saving open files first. |
| /promptrestart | Displays a dialog box prompting the local user to allow a restart. |
| Logging Options | |
| /l[i|w|e|a|r|u|c|m|o|p|v|x|+|!|*] <LogFile> | i - Status messages w - Nonfatal warnings e - All error messages a - Start up of actions r - Action-specific records u - User requests c - Initial UI parameters m - Out-of-memory or fatal exit information o - Out-of-disk-space messages p - Terminal properties v - Verbose output x - Extra debugging information + - Append to existing log file ! - Flush each line to the log * - Log all information, except for v and x options |
| /log<LogFile> | Equivalent of /l* <LogFile> |
Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841.
Verifying that the Update Has Been Applied
- Microsoft Baseline Security Analyzer
To verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. See the section, Detection and Deployment Tools and Guidance, earlier in this bulletin for more information.
- File Version Verification
Because there are several editions of Microsoft Windows, the following steps may be different on your system. If they are, see your product documentation to complete these steps.
- Click Start and then enter an update file name in Start Search.
- When the file appears under Programs, right-click on the file name and click Properties.
- Under the General tab, compare the file size with the file information tables provided in the bulletin KB article.
- You may also click on the Details tab and compare information, such as file version and date modified, with the file information tables provided in the bulletin KB article.
- Finally, you may also click on the Previous Versions tab and compare file information for the previous version of the file with the file information for the new, or updated, version of the file.
- Registry Key Verification
You may also be able to verify the files that this security update has installed by reviewing the registry keys listed in the Reference Table in this section.
These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams this security update into the Windows installation source files.
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
- Bogdan Materna of VoIPshield Systems for reporting the Literal Processing Vulnerability (CVE-2009-0099).
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Support
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
- International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (February 10, 2009): Bulletin published.
- V2.0 (February 16, 2009): Added the Microsoft Exchange Server MAPI Client as affected software. Also, added several entries to the section, Frequently Asked Questions (FAQ) Related to This Security Update, relating to updating the MAPI Client and the Exchange System Management tools. No other update packages are affected by this re-release. Customers running all other supported and affected versions of Microsoft Exchange Server who have already successfully applied the original security update packages do not need to take any further action.
- V2.1 (February 25, 2009): Added a footnote in the Affected Software table, and modified two entries in the section, Frequently Asked Questions (FAQ) Related to This Security Update, relating to the Exchange System Management Tools for Exchange Server 2003. This is an informational change only. There were no changes to the security update files in this bulletin.
- V3.0 (May 26, 2009): Added an entry in the section, Frequently Asked Questions (FAQ) Related to This Security Update, to announce a detection change to the update for Microsoft Exchange Server 2003 Service Pack 2 (KB959897). This is a detection change only. There were no changes to the security update files in this bulletin. Customers who have already installed the KB959897 update successfully do not need to reinstall.