Exchange bug could be exploited for attacks

A vulnerability has been discovered in Microsoft Corp.’s Exchange Server that would allow a single, corrupt e-mail message to bring the server to its knees, and the software giant is recommending that users install an available patch.

The company issued a security bulletin on Tuesday saying the server has a denial-of-service vulnerability. The bug allows a malicious user to send an e-mail message with invalid data in the header that causes the Exchange Server to crash.

The vulnerability affects Exchange Server 5.5 but not Exchange 2000, which was release just last month. There are 58 million seats of Exchange in use today, according to Microsoft.

Microsoft is encouraging users to apply a patch available on its Web site. Users must be running Exchange with Service Pack 3 before they can install the patch. The fix also will be available in Service Pack 4, which is scheduled to ship before the end of the year.

According to an advisory sent out by Russ Cooper, who owns and moderates the NT BugTraq Internet discussion forum, it would be “pretty easy to keep an Exchange Server 5.5 site down if they haven’t applied the patch.”

He said the simplicity of the malformed header means it could easily be discovered by hackers with malicious intent. A contributor to the NT BugTraq site reported the bug last week. Ironically, Microsoft had already developed a patch but did not issue the security warning until Tuesday.

“There are no known attacks ongoing, nor have any happened that we’re aware of,” Cooper said in an e-mail. “But the potential for such an attack makes me worried. It would be easy to send a malformed message to a spam list and get lots of folks.”

In normal operation, Exchange checks for invalid values in the Multipurpose Internet Mail Extensions (MIME) header field of e-mail messages and if a particular type of value is present, the server fails, according to Microsoft. The server can only regain normal operation after a restart and deletion of the malicious e-mail message.

Cooper, who has tested the vulnerability, says it affects the Internet Mail Service (IMS) in Exchange. When IMS tries to hand off the malicious message to the Information Store the IMS fails and takes down Post Office Protocol 3 and Internet Messaging Access Protocol 4 services, according to Cooper. E-mail clients on the same network as the server, however, are still able to send and receive e-mail.

Microsoft says the vulnerability does not allow for the addition, deletion or modification of e-mail stored in Exchange.