Security bug in Microsoft Exchange

A security hole in Microsoft Exchange versions 5.0 and 5.5 could be exploited to crash the server if it is connected to the Internet.

2 min read
Researchers have found a security flaw that hackers could exploit to crash Microsoft Exchange if the messaging server is connected to the Internet.

The vulnerability to a "denial of service" attack, discovered in the laboratory by network security firm Internet Security Systems, affects versions 5.0 and 5.5 of Exchange. Although it can cause the server to crash, the company said there is no danger of lost data or data corruption.

Internet Security Systems issued a bulletin on the hole yesterday. Microsoft said it will notify its customers early next week.

"The attack can only be triggered by a malicious hacker who knows what he is doing and intends to do it," said Chris Williams, product manager for Exchange. "You wouldn't encounter it in the normal course of operations. We're not familiar with any customers who have encountered the problem in the wild."

Describing the problem as "not a critical matter," Williams said: "It's not something that would require immediate action by all customers."

The next "service pack" update for Exchange, expected to ship in several weeks, will include a patch to repair the security hole. For more immediate help, he said the patch can be obtained through a customer-support line, (425) 635-7000.

The bulletin by Internet Security Systems identifies vulnerabilities in Exchange's Internet Mail Service (IMS), which handles the SMTP protocol, and in the Information Store, which handles the NNTP protocol. They allow an attacker to crash either service because of the way IMS handles the "AUTH" command and how the Information Store's NNTP server handles "AUTHINFO."

If the Internet Mail Service crashes, the rest of the software will still work. But when the Information Store crashes, Exchange Server cannot operate.

Microsoft has posted two descriptions, items, Q188369 and Q188341, on its support Web site.