ad info

 
CNN.com  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  

 

  Search
 
 

 
TECHNOLOGY
TOP STORIES

Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent

(MORE)

TOP STORIES

More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections

(MORE)

MARKETS
4:30pm ET, 4/16
144.70
8257.60
3.71
1394.72
10.90
879.91
 


WORLD

U.S.

POLITICS

LAW

ENTERTAINMENT

HEALTH

TRAVEL

FOOD

ARTS & STYLE



(MORE HEADLINES)
*
 
CNN Websites
Networks image


Exchange bug could be exploited for denial-of-service attacks

Network World Fusion

(IDG) -- A vulnerability has been discovered in Microsoft's Exchange Server that would allow a single, corrupt e-mail message to bring the server to its knees, and the software giant is recommending that users install an available patch.

The company issued a security bulletin last Tuesday saying the server has a denial-of-service vulnerability. The bug allows a malicious user to send an e-mail message with invalid data in the header that causes the Exchange Server to crash.

The vulnerability affects Exchange Server 5.5 but not Exchange 2000, which was release just last month. There are 58 million seats of Exchange in use today, according to Microsoft.

Microsoft is encouraging users to apply a patch available on its Web site [link below]. Users must be running Exchange with Service Pack 3 before they can install the patch. The fix also will be available in Service Pack 4, which is scheduled to ship before the end of the year.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  Network World Fusion home page
  Microsoft patches server hole
  Microsoft pushes patch for IIS hole
  Denial-of-service attacks still a big threat
  Reviews & in-depth info at IDG.net
  E-BusinessWorld
  TechInformer
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for network experts
  Search IDG.net in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

According to an advisory sent out by Russ Cooper, who owns and moderates the NT BugTraq Internet discussion forum, it would be "pretty easy to keep an Exchange Server 5.5 site down if they haven't applied the patch."

He said the simplicity of the malformed header means it could easily be discovered by hackers with malicious intent. A contributor to the NT BugTraq site reported the bug the previous week. Ironically, Microsoft had already developed a patch but did not issue the security warning until last Tuesday. "There are no known attacks ongoing, nor have any happened that we're aware of," Cooper said in an e-mail. "But the potential for such an attack makes me worried. It would be easy to send a malformed message to a spam list and get lots of folks."

In normal operation, Exchange checks for invalid values in the Multipurpose Internet Mail Extensions (MIME) header field of e-mail messages and if a particular type of value is present, the server fails, according to Microsoft. The server can only regain normal operation after a restart and deletion of the malicious e-mail message.

Cooper, who has tested the vulnerability, says it affects the Internet Mail Service (IMS) in Exchange. When IMS tries to hand off the malicious message to the Information Store the IMS fails and takes down Post Office Protocol 3 and Internet Messaging Access Protocol 4 services, according to Cooper. E-mail clients on the same network as the server, however, are still able to send and receive e-mail.

Microsoft says the vulnerability does not allow for the addition, deletion or modification of e-mail stored in Exchange.




RELATED STORIES:
Hackers attack Microsoft network
October 27, 2000
Web sites unite to fight denial-of-service war
September 27, 2000
Microsoft security executive promises improvements
July 27, 2000
Denial-of-service threat gets engineering community's attention
July 25, 2000
Microsoft scrambling to fix new Outlook security hole
July 21, 2000
Outlook patch called overkill
May 23, 2000
Microsoft: Bad security, or bad press?
September 28, 1999
CNN In-Depth Specials - Hackers

RELATED IDG.net STORIES:
Microsoft patches server hole
(Computerworld)
Microsoft pushes patch for IIS hole
(Computerworld)
Microsoft's network suffers hack attack
(IDG.net)
Password protection problems in Windows products
(InfoWorld)
Denial-of-service attacks still a big threat
(Computerworld)
New DDoS tools being developed
(IDG.net)
DoS attacks: A problem of the information age
(SunWorld)
How to prevent DoS attacks
(InfoWorld)

RELATED SITES:
Exchange 5.5 Information Store Patch
Microsoft Corp.
NTBugtraq

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

 Search   

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.