Microsoft: Exchange flawed - E-mail server software vulnerable to hackers
May 30, 2002
A flaw found in Microsoft Corp.'s e-mail routing software could allow hackers to blow a computer's mind with an indecipherable message.
The flaw, which the company announced yesterday, was discovered in early May in Microsoft Exchange 2000, the server software that passes millions of e-mails over the Internet. If the flaw were exploited, a hacker could send a message that would tie up an e-mail server's full processing power for hours on end.
The result would be a so-called ``denial-of-service'' attack -- a shutdown of any affected e-mail server.
``What makes this more serious than an average denial-of-service attack,'' said Christopher Budd, a program manager in Microsoft's security response center, ``is that if you restart the mail server to clear the bad message, that will not succeed. When you restart, the mail server will immediately begin processing that message again.''
The Redmond software maker issued a security alert yesterday that rated the flaw ``critical.'' But Christopher Budd, a program manager at Microsoft's security response center, said the company had no reports of any incidents involving the flaw.
Researchers at the Johannes Gutenberg University in Mainz, Germany, discovered the flaw and reported it to Microsoft earlier this month.
Budd said taking advantage of the flaw requires programming experience with SMTP, the Simple Mail Transfer Protocol used for Internet mail. The flaw exists in two particular specifications of that protocol -- called RFC 821 and 822 -- which determine the structure of an e-mail's attributes, such as what data can be put in the ``to'' and ``from'' lines and what data the computer fills in, such as the time.
The problem with Microsoft Exchange 2000, which was shipped in October 2000, is that it can accept information in the wrong place.
``When Exchange receives it and tries to process it, the (computer's) processors will spike to 100 percent,'' Budd explained.
With the patch that Microsoft released yesterday, he added, ``Exchange will get the message, look at the attribute in question and, if it's malformed, it will just throw it away.''
The patch is available at www.microsoft.com/technet/security/bulletin/ms02-025.asp.
by Cydney Gillis, Journal Business Reporter. Copyright © 2002 Horvitz Newspapers, Inc.