Security experts say install Exchange patch despite problems

Fast-moving worm exploit is likely to follow Tuesday's Exchange patch from Microsoft.

Several security companies are urging Windows managers to install the latest Microsoft Exchange Server patch, despite...

reports that the fix is causing problems for some mobile devices.

Related patch story
Exchange, Windows focus of latest Microsoft fixes

The critical update, released Tuesday, fixes a remote code execution flaw in the Exchange calendar function. It affects Microsoft Exchange Server 2000 and Exchange Server 2003 SP1 and SP2.

The Microsoft bulletin warned that an attacker could exploit the vulnerability simply by sending an email with malicious calendar data that is included in meeting requests. If the server is exploited, a hacker could then install programs; view, change, or delete data; and create new accounts with full user rights.

...Administrators should consider blocking or quarantining calendar-based mail messages...
David Litchfield,
NGS Software,

"This is a critical flaw and administrators should test and install the patch as soon as possible," said David Litchfield, a U.K.-based security consultant with Next Generation Security (NGS) Software Ltd. "Until the patch is installed, administrators should consider blocking or quarantining calendar-based mail messages as an interim solution."

Symantec Corp., in Cupertino, Calif., warned administrators to patch quickly and listed the Exchange vulnerability level as "High" on the company's security response Web site. Internet Security Systems (ISS) Inc.'s X-Force research team expects an exploit for the Exchange bug would be out soon.

"With the high profile of Microsoft Exchange as a target and the nature in which it is typically deployed, we expect to see active exploitation of this issue in the wild with the possibility of a worm," read an alert on the ISS Web site.

Microsoft has issued a workaround because of some compatibility problems with the Exchange fix. According to a Microsoft support site, users cannot send email messages from a mobile device or from a shared mailbox in Exchange 2000 and Exchange Server 2003. The software maker has a Knowledge Base article available for Exchange managers to deal with the mobile problems.

Dig Deeper on Windows Server and Network Security



Find more PRO+ content and other member only offers, here.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:









  • VDI assessment guide

    Wait! Don't implement VDI technology until you know your goals and needs. A VDI assessment should consider the benefits of a VDI ...

  • Guide to calculating ROI from VDI

    Calculating ROI from VDI requires a solid VDI cost analysis. Consider ROI calculation models, storage costs and more to determine...

  • Keep the cost of VDI storage under control

    Layering, persona management tools and flash arrays help keep virtual desktop users happy and VDI storage costs down.