Microsoft issues Exchange flaw fix

Microsoft has made a knowledge paper available that details how to fix the recently reported Exchange security hole

Microsoft has issued a knowledge paper on how to fix the flaw in Exchange Server 2003.

Last week Microsoft announced it had received notification of a flaw in Microsoft Exchange Server 2003 that either denied users access to Outlook Web Access or, worse, gave them full access to someone else's account.

Andrew Cunningham, Exchange product manager for Microsoft Australia, told ZDNet Australia that investigations by Microsoft had revealed the issue came to light when someone ran Microsoft Windows SharePoint Services on an Exchange Server.

"It's not a common scenario," Cunningham said. "Most organisations have a dedicated Exchange application and a dedicated SharePoint scenario as well." This issue arose because SharePoint turned off the Kerberos authentication, which is set on by default on the Exchange Server.

Microsoft has issued a paper detailing how to fix the problem, which involves turning the Kerberos authentication back on for the Exchange server, and also running it on SharePoint. The paper is available from Microsoft's Web site.

"We'll continue testing to close [the investigation] off," said Cunningham. "To see whether we need to make changes to the code, or whether any other knowledge-based articles need to be released."