News

Exchange Security Patch Needs Patching

• By Scott Bekker
• June 11, 2001

And in a related bit of patching, Microsoft enlarged the scope of its original Exchange 2000 security bulletin to include Exchange 5.5 Server deployments for the first time, as well.

Exchange 5.5 and Exchange 2000 Server ship with default support for Outlook Web Access (OWA), a Web-based interface that lets users access their Exchange mailboxes through a Web browser interface. An unscrupulous attacker could exploit a known vulnerability in the way that OWA and Internet Explorer 5.x interact to take complete control of a user's mailbox - possibly even manipulating messages and folders. In a knowledge base article published on its Security Web site, Microsoft itself recommended that users who've deployed OWA - i.e., most Exchange 5.5 and Exchange 2000 deployments - should "install the patch immediately."

One such user, Jeffrey Barczak, a network support specialist with the Pennsylvania State University, says that he first experienced problems with the OWA security update only hours after installing it on one of his personal test systems.

"Mail began accumulating in the 'Outboxes' on the Outlook clients that my Exchange 2000 Server supports. And for the few POP3 clients that I support, their mail got stuck in the SMTP queue," he explains.

The problem, Barczak discovered, was that Exchange 2000's Information Store (MSExchangeIS) and POP3 (POP3Svc) services were apparently hanging shortly after start-up. An e-mail to the Windows NT Systems Administrators mailing list confirmed his suspicions: at least one other IT manager responded and acknowledged that he'd experienced similar issues. Both Barczak and the other affected IT manager found that simply removing the patch didn't solve their problems.

Sometime on Friday, Microsoft pulled the OWA security update from its TechNet Web site and replaced it with a cryptic message indicating that the patch was "temporarily unavailable" and that it would likely "be returned to the Web shortly." As of Sunday night, however, the software patch was again available on Microsoft's Download Web site.

By Friday, a revision notice indicated that the OWA update - by then available in version 2.0 - had been patched and explained "that the version of the Exchange 2000 patch released on June 06, 2001 ... contained a regression error that has been corrected." It was then that Microsoft first acknowledged that the OWA vulnerability - which was thought to be Exchange 2000-specific - also affected Exchange 5.5 systems. It is not known if the regression error that crippled some Exchange 2000 installations could also disable Exchange 5.5 systems, however.

As of the time of this writing, the software giant hadn't yet provided IT managers with instructions for fixing Exchange 2000 systems disabled by the original patch. Consequently, users such as PSU's Barczak were forced to shift for themselves.

Because the Exchange 2000 OWA patch causes the Exchange Information Store and POP3 services to hang, Barczak notes, its removal wasn't necessarily a simple task. "I had to use pkill [a tool that's included with the Windows 2000 Resource Kit] to kill both services, because the un-install process hung when it tried to shut those services down and also because I couldn't kill them using the Task Manager," he explains. Once he removed the OWA patch, Barczak says, he found that his Exchange 2000 Server still refused to function. His solution? Re-install the Exchange 2000 components. Two hours later, he reports, his Exchange 2000 test box was once again functioning normally.

"I don't even want to think about what would have happened if I did this on a production system," Barczak acknowledges.

More than anything else, however, the latest OWA patch imbroglio may have again undermined users' confidence in the quality of Microsoft's software.

"After the quality of Windows 2000 and after two good service pack releases, I was just beginning to come around and trust Microsoft again," Barczak concludes. "But this is just a reminder that you should never roll-out any patch - especially one from Microsoft - without testing it first." -- Stephen Swoyer