Several security companies are urging Windows managers to install the latest Microsoft Exchange Server patch, despite reports that the fix is causing problems for some mobile devices.
The critical update, released Tuesday, fixes a remote code execution flaw in the Exchange calendar function. It affects Microsoft Exchange Server 2000 and Exchange Server 2003 SP1 and SP2.
The Microsoft bulletin warned that an attacker could exploit the vulnerability simply by sending an email with malicious calendar data that is included in meeting requests. If the server is exploited, a hacker could then install programs; view, change, or delete data; and create new accounts with full user rights.
"This is a critical flaw and administrators should test and install the patch as soon as possible," said David Litchfield, a U.K.-based security consultant with Next Generation Security (NGS) Software Ltd. "Until the patch is installed, administrators should consider blocking or quarantining calendar-based mail messages as an interim solution."
Symantec Corp., in Cupertino, Calif., warned administrators to patch quickly and listed the Exchange vulnerability level as "High" on the company's security response Web site. Internet Security Systems (ISS) Inc.'s X-Force research team expects an exploit for the Exchange bug would be out soon.
"With the high profile of Microsoft Exchange as a target and the nature in which it is typically deployed, we expect to see active exploitation of this issue in the wild with the possibility of a worm," read an alert on the ISS Web site.
Microsoft has issued a workaround because of some compatibility problems with the Exchange fix. According to a Microsoft support site, users cannot send email messages from a mobile device or from a shared mailbox in Exchange 2000 and Exchange Server 2003. The software maker has a Knowledge Base article available for Exchange managers to deal with the mobile problems.