Microsoft released three security bulletins for the month of May:
MS06-018--Vulnerability in Microsoft Distributed Transaction Coordinator Could Allow Denial of Service (913580)
MS06-019--Vulnerability in Microsoft Exchange Could Allow Remote Code Execution (916803)
MS06-020--Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (913433)
I agree with Microsoft's severity rating on all three bulletins. MS06-019 deals with a critical vulnerability in Microsoft Exchange 200 Server and Microsoft Exchange Server 2003 in which a malformed appointment request can give an attacker complete control of the Exchange server.
The other critical vulnerability, MS06-020, isn't actually in a Microsoft product but is in the Adobe Systems Flash Player that Microsoft redistributes in Microsoft Internet Explorer (IE). (Customers that have followed the guidance in Adobe Security Bulletin APSB06-03 are not at risk from the Flash Player vulnerability.) Both the MS06-019 and MS06-020 vulnerabilities are quite serious, and I recommend that you deploy the patches as soon as possible after moderate testing.
The third bulletin deals with a Denial of Service (DoS) vulnerability in Distributed Transaction Coordinator and won't be a priority for most folks.
For my complete coverage of all three vulnerabilities see http://www.ultimateWindowsSecurity.com/news
