The breach, dubbed "Potential SMTP and NNTP [Network News Transfer Protocol] Denial-of-Service Vulnerabilities in Exchange Server," affects Exchange Versions 5.0 and 5.5. It allows a malicious user to cause an Exchange server to shut down or stop responding, preventing the flow of e-mail and stalling newsgroup traffic until the server is restarted.
Microsoft was alerted to the breach by Internet Security Systems' X-Force team. "As more companies use [Microsoft] BackOffice as a critical component of network and enabling e-commerce, Exchange becomes a more important application to understand from a security standpoint," said Chris Klaus, chief technology officer and founder of Internet Security Systems, in Atlanta. "I think we'll continue to find more [breaches] in the near term and long term within these applications."
The latest breach comes amid reports of a security hole in the Internet-based mail applications of Microsoft and Netscape Communications. That breach affects users of Microsoft's Outlook Express 4.x and Outlook 98 as well as Netscape Mail versions 4.05 and 4.5b1.
In the latest breach, if a hacker connects to an Exchange server running the Internet Mail Service (TCP/IP port 25) and issues a sequence of incorrect data, an application error can cause the Internet Mail Service to stop responding, according to a security bulletin issued by Microsoft.
In addition, if a hacker connects to an Exchange server running the NNTP Service (TCP/IP port 119), which supports Exchange newsgroups, and issues a similar sequence of incorrect data, the Server Information Store could crash. Users would also be prevented from connecting to their Exchange folders on the mail server, according to the Microsoft bulletin. Although neither crash requires a reboot of the operating system, the servers need to be restarted.
Hotfixes are available here.
"We're hoping people will understand the seriousness of these [security breaches] and apply the patches before they have the ability to disseminate to the hacker community... and cost [a corporation] more money to take corrective measures," Klaus said.
Affected versions of the software include Exchange 5.0 (including 5.0 Service Pack 1 and 2) and 5.5. Exchange 4.0 is not affected, according to Microsoft officials.