Article

Security experts say install Exchange patch despite problems

Joan Goodchild, News Writer

Several security companies are urging Windows managers to install the latest Microsoft Exchange Server patch, despite reports that the fix is causing problems for some mobile devices.

    Requires Free Membership to View

Related patch story
Exchange, Windows focus of latest Microsoft fixes

The critical update, released Tuesday, fixes a remote code execution flaw in the Exchange calendar function. It affects Microsoft Exchange Server 2000 and Exchange Server 2003 SP1 and SP2.

The Microsoft bulletin warned that an attacker could exploit the vulnerability simply by sending an email with malicious calendar data that is included in meeting requests. If the server is exploited, a hacker could then install programs; view, change, or delete data; and create new accounts with full user rights.

...Administrators should consider blocking or quarantining calendar-based mail messages...
David Litchfield,
NGS Software,

"This is a critical flaw and administrators should test and install the patch as soon as possible," said David Litchfield, a U.K.-based security consultant with Next Generation Security (NGS) Software Ltd. "Until the patch is installed, administrators should consider blocking or quarantining calendar-based mail messages as an interim solution."

Symantec Corp., in Cupertino, Calif., warned administrators to patch quickly and listed the Exchange vulnerability level as "High" on the company's security response Web site. Internet Security Systems (ISS) Inc.'s X-Force research team expects an exploit for the Exchange bug would be out soon.

"With the high profile of Microsoft Exchange as a target and the nature in which it is typically deployed, we expect to see active exploitation of this issue in the wild with the possibility of a worm," read an alert on the ISS Web site.

Microsoft has issued a workaround because of some compatibility problems with the Exchange fix. According to a Microsoft support site, users cannot send email messages from a mobile device or from a shared mailbox in Exchange 2000 and Exchange Server 2003. The software maker has a Knowledge Base article available for Exchange managers to deal with the mobile problems.


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: