Microsoft replaces faulty fix; Exchange 5.5 also flawed

Microsoft Corp. posted new versions of a patch late Friday to fix a flaw that it previously said only exists in its Exchange 2000 Server e-mail system. In the updated security bulletin, however, Microsoft added the more widely used Exchange 5.5 Server to the list of affected software.

Some administrators of Microsoft Corp.’s Exchange 2000 who installed the original patch posted on Wednesday found themselves left with a malfunctioning e-mail gateway.

“After I installed the patch, our Outlook Web Access and POP3 (Post Office Protocol 3) weren’t working. Regular Outlook clients locked up,” one administrator wrote in an e-mail to IDG News Service. “After troubleshooting and finally giving up, I called Microsoft. Guess what? The patch caused all of our problems.”

Microsoft on Friday morning pulled the software fix from its TechNet Web site and replaced the download link with a notice stating that the patch “is temporarily unavailable and will be returned to the Web shortly.” The updated patch was posted late Friday PDT (Pacific Daylight Time) and a revised security bulletin was sent out to subscribers to Microsoft’s Security Notification Service

“The patch that was originally provided for Exchange 2000 … could cause performance problems on the server,” Microsoft said in the updated bulletin.

A spokeswoman for Microsoft said that the patch was pulled after customer complaints.

“The Microsoft Security Response Center received reports from customers on Friday morning that there were some technical issues with the patch. The decision was made to pull the patch while investigating the issue,” the spokeswoman said. She declined to specify the number of customer complaints.

Microsoft warned in a security bulletin posted Wednesday that a security flaw exists in the Outlook Web Access module of its Exchange 2000 Server e-mail system. The flaw could allow an unauthorized user to access mailbox contents, according to Microsoft. The software maker now says that the vulnerability also affects Exchange Server 5.5 and advises customers using Outlook Web Access to install the patch immediately.

Outlook Web Access allows users to access their Exchange mailbox via the Web, rather than using the Outlook client software on their own PC. The flaw exists in the interaction between the Web access feature and its Internet Explorer Web browser, Microsoft said Wednesday.

Using malicious code in an e-mail attachment, a hacker could gain access to a user’s mailbox and would have the ability to delete messages and folders, Microsoft said.

The Outlook Web Access feature of Exchange is activated by on Exchange 2000 Server. Microsoft’s security bulletin can be viewed on the Web at

Microsoft Canada, in Mississauga, Ont., can be reached at