Late yesterday, Microsoft released a patch that corrects what the company calls a "critical" security flaw in Microsoft Exchange 2000 Server. The flaw lets intruders send a specially formatted email message that ties up 100 percent of the server's processing power, effectively creating a Denial of Service (DoS) situation (which prevents users from accessing services). The flaw takes advantage of a bug in the way Exchange 2000 handles certain malformed email messages; rather than simply deleting the messages, the server repeatedly attempts to process them and ties up all its resources doing so.
"A security vulnerability results because it is possible for an attacker to seek to exploit this flaw and mount a \[DoS\] attack," states a Microsoft security bulletin about the patch. "An attacker could attempt to levy an attack by connecting directly to the Exchange server and passing a raw, hand-crafted mail message with a specially malformed attribute. ... Neither restarting the service nor rebooting the server would remedy the \[DoS\]."
The good news is that attacking Exchange 2000 in this manner is difficult. Intruders can't launch attacks through email messages; the attacks require a direct connection to the server. In addition, although you can't stop Exchange 2000 from processing the malformed message after it begins, the server restores normal operation after it finishes processing the message. Nevertheless, Microsoft recommends that all Exchange 2000 users download and install the patch, which you can find on the Microsoft Web site.
