[ISN] Microsoft Exchange hole "critical"

From: InfoSec News (isnat_private)
Date: Thu May 30 2002 - 01:38:37 PDT

  • Next message: InfoSec News: "[ISN] Flaw in Macromedia JRun could let attacker take over"

    By David Becker 
    Staff Writer, CNET News.com
    May 29, 2002, 3:30 PM PT
    Microsoft on Wednesday issued a security alert about a newly
    discovered flaw in its Exchange 2000 e-mail software that could allow
    hackers to cripple e-mail servers.
    The vulnerability, which Microsoft classified as "critical," affects
    e-mail servers running Exchange 2000.
    Malformed messages created using RFC 821 and 822, versions of the SMTP
    format commonly used by e-mail programs, can cause the CPU of the
    server receiving the message to run at 100 percent as it attempts to
    read the message. The result would be a denial-of-service attack, with
    the affected server unable to do anything until it finishes processing
    the message.
    Christopher Budd, security program manager at Microsoft's security
    response center, said the flaw was assigned a "critical" rating
    because once the attack starts, it can't be stopped, even if Exchange
    is restarted or the server rebooted.
    "Once the process starts, you can't stop it," he said, adding that it
    could take a server anywhere from a few seconds to a few hours to
    process a message. "The key here is that once the system gets hold of
    that message, it's got to deal with it."
    The bulletin noted that creating such messages would require
    specialized knowledge and software, as common e-mail clients such as
    Outlook are incapable of creating RFC 821 or 822 content.
    "You'd have to be fairly sophisticated," Budd said. "This is not
    something where somebody opens an e-mail client, puts a few bad
    characters in a message, and sends it. It would basically require
    someone to know the language of SMTP."
    Microsoft urged system administrators to promptly patch any Exchange
    2000 servers.
    Discovery of the flaw was credited to researchers at the Johannes
    Gutenberg University in Mainz, Germany.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu May 30 2002 - 04:21:57 PDT