June 26, 2001, 9:15 AM — Microsoft Corp. on Monday released the first service pack for its Exchange 2000 Server, adding a series of security improvements to a product that has been plagued by security issues in the past month.
Microsoft's Exchange 2000 is an e-mail and workgroup application server that includes collaborative features such as instant messaging and indexing capabilities. Released less than one year ago, the successor to Exchange Server 5.5 experienced its first major vulnerability when a security hole was discovered that allowed unauthorized access to mailbox content.
In addition to patches for that hole, the service pack includes a number of security enhancements, according to Microsoft. They include improvements to antivirus APIs (application programming interfaces) which will allow third-party software vendors to enhance their compatible offerings. It also comes with a copy of Microsoft's newly released Outlook 2002, which features an e-mail screening function that scans all incoming and outgoing messages for potentially harmful attachments. For instance, Outlook 2002 blocks Visual Basic script (.vbs) attachments, a script often used for disseminating viruses. Outlook 2002 will also notify users when a foreign program is attempting to breach their address book, Microsoft said.
"I think that from the point of view of a long-time Microsoft security watcher, I don't see a heck of a lot to be worried about," said Joel Scambray, managing principal consultant with Foundstone Inc., a security consulting firm in California. "Exchange is still pretty far beneath the radar compared to security concerns with Microsoft's Web server."
While customers have just begun upgrading to the Exchange 2000 Server, which needs Windows 2000 Server and Active Directory to run, other security holes have already been identified. Microsoft released patches three times in one week to fight off bugs discovered in the Outlook Web Access function of the Exchange server, after a glitch allowed data to be compromised when the server was accessed via the Web.
"I think that as this product becomes more ubiquitously deployed, you are going to see some more security vulnerabilities come forward," Scambray said. "I don't know of a lot of people who have really looked at vulnerabilities in Exchange."
The service pack also includes features to speed up the migration process from early versions of the server software. The Exchange 2000 Migration Wizard allows customers to consolidate multiple servers running Exchange 5.5, as well as competitive products such as Lotus Development Corp.'s Notes and Novell Inc.'s GroupWise.
Microsoft, in Redmond, Washington, can be reached at +1-425-882-8080. The service pack download is available to customers at: http://www.microsoft.com/exchange/downloads/2000/sp1.asp.