Microsoft Exchange bug: Strike three?

First Microsoft reports a security hole in its mail server; then the company recalls its patch. Now, some say, the new fix is hanging servers. Microsoft says the patch is not the problem.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Microsoft's latest software fix for a security hole in the company's Exchange mail server may still be causing problems, CNET News.com learned Tuesday.

While Microsoft denied that it had received any reports of difficulties with its second patch for securing Exchange 2000 and 5.5, three system administrators have reported that the fix continues to hang their servers.

"This is the same exact problem as the first patch," said Chuck Myntti, a system administrator at the University of Utah, who had to rebuild the mail server to rid it of the pesky patch. "I'm really frustrated with Microsoft."

Last Thursday, Microsoft revealed that users who connect to an Exchange 2000 mail server via the Web could have their mailboxes deleted or modified thanks to a recently discovered security hole. The flaw affected servers that offered Outlook Web Access, a way for employees to read their mail via the Web.

On Friday, the company pulled down the fix after several system administrators complained that newly patched exchange servers hung, leaving any inbound e-mail to pile up on external servers. The company also announced that the flaw not only affected Exchange 2000 but Exchange 5.5 as well.

Microsoft posted the latest patch Saturday, but some system administrators are claiming that the software is still not working.

"I worked with Microsoft (technical support) for three hours," said Trey Carr, manager of information systems for ZonaFinanciera.com, a trilingual financial news site. "Apparently, they are not done with this patch yet. They could not even get it to uninstall itself."

Microsoft said the patch was not to blame.

"We talked with our support people, and the only problems they have seen have been users who have not installed the correct patch," said a representative of the company.

Yet, the system administrators claim they have not made the error.

"We had the same problem with this new patch, it just took longer--a couple days--to use up all the CPU resources (and hang)," said a third administrator. "We have decided to disable OWA until they figure this out."