January 09, 2001, 10:45 AM — Microsoft Corp. is recommending that users of its Exchange Server 5.5 software install a new patch released this week in order to plug a security hole that potentially could allow a single, corrupt e-mail message to bring the messaging and collaboration system to its knees.
Microsoft issued a bulletin about the newly discovered denial-of-service vulnerability on Tuesday, saying that the flaw could enable malicious attackers to crash Exchange 5.5 servers by sending an e-mail message containing certain kinds of invalid data in the MIME header fields. The company noted that the problem doesn't affect its new Exchange 2000 software, which was released just three weeks ago.
According to a more detailed explanation of the hole that Microsoft also issued this week, an e-mail system that had been crashed would have to be restored by rebooting the Exchange 5.5 server and deleting the offending message. The vulnerability doesn't allow attackers to add, delete or modify e-mail messages or to gain administrative privileges on an affected Exchange server, Microsoft said.
The patch that's supposed to fix the problem for users can be downloaded from Microsoft's Web site. Alternatively, the company said users will be able to address the security flaw by installing Exchange 5.5 Service Pack 4, an update to the software that "is due to be released shortly."
According to an advisory sent out by Russ Cooper, who moderates the NTBugtraq security mailing list, attackers would find it "pretty easy to keep an Exchange Server 5.5 site down if [users] haven't applied the patch" that Microsoft released. The simplicity of creating the right kind of invalid header means malicious hackers could easily exploit the vulnerability, Cooper said.
A contributor to the NTBugtraq site reported the bug last week, according to Cooper. "There are no known attacks ongoing, nor have any happened that we're aware of," he wrote in an e-mail message. "But the potential for such an attack makes me worried. It would be easy to send a malformed message to a spam list and get lots of [companies]."
Ironically, Microsoft had already developed a patch that addressed the issue, although it hadn't yet publicly disclosed the existence of the security hole.