Exchange 2000 and IIS 5.0 Denial of Service

Reported March 1, 2001, by Microsoft.


  • Microsoft IIS Server 5.0

  • Microsoft Exchange 2000 Server


IIS 5.0 and Exchange 2000 servers both contain a flaw that might result in a Denial of Dervice (DoS). By repeatedly sending a URL of a specific construction, a malicious user can cause a memory allocation error resulting in the failure of the IIS service. The Messaging API (MAPI)-based mail clients under Exchange 2000 are not affected, but the IIS service failure can temporarily disrupt the Web-based mail clients until the automatic restart of the affected services. The flaw exists in both the code module of IIS and Exchange 2000. For this reason, Exchange 2000 administrators should apply both available patches that address this vulnerability.

This particular vulnerability does not let the attacker gain administrative control or alter any data on the server. A properly configured Exchange 2000 server would be less at risk than an IIS server due to the Internet Server API (ISAPI) involved in authenticating the user prior to servicing the request.


 Microsoft has issued security bulletin MS01-014 to address this vulnerability.

Discovered by Kevin Kotas of .
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.