Microsoft KB Archive/287678

= XWEB: Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 Server =

Article ID: 287678

Article Last Modified on 2/20/2007

-

APPLIES TO


 * Microsoft Exchange 2000 Server Standard Edition

-



This article was previously published under Q287678



SYMPTOMS
Exchange 2000 is affected by the same vulnerability as the Microsoft Internet Information Services (IIS) 5.0 vulnerability described in the following article in the Microsoft Knowledge Base:

286818 IIS: Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 Server

To support Web-based mail clients, Exchange 2000 introduces the ability to address items on the store via URLs. This is done in part by using IIS 5.0, and in part via code that is specific to Exchange 2000. Both pieces of code contain the flaw, but the effect of exploiting the vulnerability via either would be the same--it could be used to cause the IIS service to fail, but could not be used to attack the Exchange service itself. That is, successfully attacking an Exchange server via this vulnerability would disrupt Web-based mail clients' use of the server, but not that of MAPI-based mail clients such as Microsoft Outlook.

Mitigating factors:
 * The vulnerability would not enable the attacker to gain any administrative control over the server or to alter any data on it.
 * The affected services automatically restart in the event of a failure; therefore, an affected system would resume service almost immediately.
 * A successful attack against an Exchange server would only disrupt Web-based mail clients' use of the server. The server would continue to be available for MAPI-based clients such as Outlook.
 * The ISAPI involved in this vulnerability authenticates the user before servicing the request; therefore, a properly configured Exchange server would be at less risk than an IIS server.



RESOLUTION
IMPORTANT: Because the flaw occurs in two different code modules, one of which is installed as part of IIS 5.0 and both of which are installed as part of Exchange 2000, it is important for Exchange 2000 administrators to install both the Exchange and IIS patches below.

The following files are available for download from the Microsoft Download Center:

Exchange 2000 Server:

Download Q287678engi386.exe now

IIS 5.0:

Download Q286818_W2K_SP3_x86_en.exe now

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:

Component: HTTP-DAV



STATUS
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 1.



MORE INFORMATION
For more information about this issue, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms01-014.mspx

Additional query words: dos denial of service

Keywords: kbbug kbexchange2000presp1fix kbfix kbgraphxlinkcritical kbqfe KB287678

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.