Skip to main content /TECH with /TECH

Patches out for denial-of-service hole in Exchange

Network World Fusion

(IDG) -- Microsoft is recommending users of Exchange 2000 and Internet Information Server 5.0 install a patch that can prevent a denial of service attack.

The vulnerability in both servers is exploited using a malformed URL, which when sent repeatedly can overwhelm either IIS or Exchange and cause a failure. Each server, however, has an automatic restart that would put the server back online quickly, according to Microsoft. The vulnerability does not allow the attacker to gain administrative control or change any data, but if exploited Web and e-mail service can be interrupted.

Related Stories
Visit an IDG site search

An attack on an Exchange 2000 Server, however, would only affect Web-based mail clients and not MAPI clients on the network. Exchange 2000 allows the use of URL-based access to the mail store within the server's Web Storage System. In addition, since the attacker would need to sign on to the Exchange server before delivering the malformed URL, the exploit is harder to carry out on Exchange.

"The Exchange side has a higher level of security against this bug because you have to get authorization to the server," says Chris Baker, lead product manager for Exchange Server. "Technically this could happen but there are a number of things that have to line up and the vulnerability doesn't use a typical URL."

The flaw is rooted in the handling of URLs that have a length within a narrow range of values. If such a URL is sent repeatedly to the server, it causes a memory allocation error that crashes the server.

Exchange and IIS have separate code that processes URLs, but the code has the same flaw. But since IIS is installed as part of Exchange 2000, an Exchange 2000 administrator needs to install both patches.

University computers remain hacker havens
February 14, 2001
One year after DoS attacks, vulnerabilities remain
February 8, 2001
Exchange bug could be exploited for denial-of-service attacks
November 6, 2000
Hackers attack Microsoft network
October 27, 2000
Web sites unite to fight denial-of-service war
September 27, 2000
Microsoft security executive promises improvements
July 27, 2000
Denial-of-service threat gets engineering community's attention
July 25, 2000
Microsoft scrambling to fix new Outlook security hole
July 21, 2000

New IIS tool helps administrators keep servers secure
(Network World Fusion)
How to protect IIS systems
Microsoft urging IIS users to patch serious security hole
Deconstructing DoS attacks
Users slow to embrace security outsourcers
Microsoft is victim of 'denial of service' attack
University computers remain hacker havens
Denial-of-service attacks still a big threat

Microsoft IIS 5.0 patch
Microsoft Exchange 2000 patch

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


4:30pm ET, 4/16

Back to the top