Exchange 2000 to get security sweep fixes

Microsoft Corp. is planning to release this month the third service pack for its Exchange 2000 server software, which will include fixes for bugs discovered as part of its lengthy review of the software code.

Released to address issues that arise in products after Microsoft has already shipped software to customers, service packs typically includes bug fixes, technical modifications and feature additions. The Exchange 2000 Service Pack 3, however, will be released specifically to address issues the company discovered under its recent Trustworthy Computing initiative, said Jim Bernardo, product manager for the Microsoft’s .Net Enterprise Server team.

As part of the Trustworthy Computing initiative, each division at Microsoft under went a code review, sweeping each piece of software in search of vulnerabilities. The code review is intended to make Microsoft’s software more secure and reliable, and has become a top priority for the company by request of Bill Gates, the company’s chairman and chief software architect.

“We spent six or seven weeks scrubbing code” with Exchange 2000, Bernardo said. “The service pack will include changes and fixes based on the scrub we did.”

One new security functionality that will be added to Exchange 2000 with the service pack release is a feature that configures the server software with all the features “locked down” by default, according to Bernardo. To take advantage of some of the nonessential features of the software, such as special network extensions, administrators will have to activate the various settings in the software manually.

The service pack will also include a security tweak that will help prevent buffer overruns, Bernardo said. Buffer overruns occur when an attacker overflows the amount of memory assigned to a specific task on a computer. It can result in unpredictable behavior such as crashes, denial of service and code execution.

No new product features will be added to Exchange 2000 with Service Pack 3, Bernardo said. However, one existing feature that allows Exchange to work with Windows .Net Server has been overhauled, he said. Microsoft plans to release Windows .Net Server, the next version of Windows 2000 Server, by the end of the year.