Exchange SP1 Patch Conflicts With Blackberry, GoodLink

Microsoft released a patch for Exchange 2003 SP1 called MS06-019 that includes a configuration change that eliminates a default privelege granting any users with "full mailbox access" permission to "Send As" the mailbox owner.

Microsoft claims customers asked that "Send As" permission be separated from the "Full Mailbox Access" permission to deter email spoofing and ensure that e-mails sent by a delegate are distinguished from message sent by the real mailbox owner.

The change to the Exchange configuration may cause issues for Blackberry Enterprise Server and Good Technology's GoodLink Wireless Messaging, Microsoft security experts said during its monthly security call Wednesday.

According to the Microsoft knowledgebase, users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 and Exchange Server 2003.

The news comes as Microsoft holds its annual Mobile and Embedded Developers Conference in Las Vegas. Microsoft now competes against Blackberry Enterprise Server and GoodLink.

"Once you apply the update, users can't send mail on behalf of another user and in knowledgebase [KB]article 912918 we talk about applications that might be affected," said Christopher Budd, a security program manager for Microsoft. "Blackberry is one of the products that may be affected."

Microsoft also cited Good Technology's GoodLink wireless messaging in its list of known third-party product conflicts with MS06-019.

Microsoft also posted two knowledge base (KB) articles about the "send as" change [KB 895949] and has made available a script that offers configuration changes to those users that might be affected.

The configuration change was included in an Exchange 2000 hotfix that went out earlier this year.

During the monthly security briefing, Microsoft also said it has decided to switch from PGP (Prett Good Privacy) to S-MIME standard for e-mail security in the future.

Microsoft also warned users that it will end security support for Windows 98/SE/Millenium on July 11 and for Windows XP SP1 on Oct. 10.

On December 6, 2006 Microsoft will end security updates for Software Update Services 1.0 patch management software.

Microsoft advised customer to start upgrading to Windows XP SP2 and Windows Server Update Services 2.0, which replaced SUS.

Security companies said partners and customers running third-party applications including the two mobile software servers should begin testing the Exchange 2003 SP1 patch throughly.

"IT admins need to test the critical patches in their respective environments to ensure there are no disruptions to their environment before deploying them across the entire network," said Chris Andrew, vice president of security technologies at PatchLink.

Still, Symantec urges partners and customers to deploy the update -- considered the most severe vulnerability in the May release.

This vulnerability could provide an attacker with an opportunity to execute code remotely on a Microsoft Exchange server by sending an e-mail with malicious calendar properties, according to a statement issued by Symantec.