Secunia

Some vulnerabilities have been reported in Microsoft Exchange, which can be exploited by malicious people to conduct script insertion attacks, cause a DoS (Denial of Service), or compromise a vulnerable system.

1) Outlook Web Access (OWA) does not handle a certain UTF character set label correctly. As a results, script-based attachments are not properly sanitised before being displaying, which can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site when opening a file.

2) An error in the Exchange Collaboration Data Objects (EXCDO) functionality when handling MODPROPS properties in iCal files can be exploited to cause the mail service to stop responding via a specially crafted iCal file containing two MODPROPS properties where the second is longer than the first.

3) An error in the MIME decoding can be exploited to execute arbitrary code via a malicious e-mail message containing specially crafted base64-encoded content.

4) An integer overflow error in the handling of IMAP literals can be exploited to cause the mail service to stop responding via a specially crafted IMAP command.

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
1) The vendor credits Martijn Brinkers, Izecom.
2) Alexander Sotirov, Determina Security Research.
3) Reported by the vendor.
4) Discovered by Joxean Koret and reported via iDefense Labs.

Changelog
Further details available in Customer Area

Original Advisory
MS07-026 (KB931832):
http://www.microsoft.com/technet/security/Bulletin/MS07-026.mspx

Determina:
http://www.determina.com/security.research/vulnerabilities/exchange-ical-modprops.html

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=526

Other references
Further details available in Customer Area

Alternate/detailed remediation
Further details available in Customer Area

Deep Links
Links available in Customer Area