Alert: Microsoft Security Bulletin MS03-046 - Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 10/16/03

  • Next message: Russ: "Alert: Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)"
    Date:         Wed, 15 Oct 2003 19:38:43 -0400
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Bulletin URL:
    http://www.microsoft.com/technet/security/bulletin/MS03-046.asp

    Summary:

      Version Number: V1.0
      Revision Date: 10-15-2003
      Patch(es) Replaced: None
      Caveats: None
      CVE Number(s): CAN-2003-0714

    Tested Software:
      Affected Software:
      * Microsoft Exchange Server 5.5, Service Pack 4
      * Microsoft Exchange 2000 Server, Service Pack 3

      Software Not Affected:
      * Microsoft Exchange Server 2003

    Technical Description:
    In Exchange Server 5.5, a security vulnerability exists in the Internet
    Mail Service that could allow an unauthenticated attacker to connect to
    the SMTP port on an Exchange server and issue a specially-crafted
    extended verb request that could allocate a large amount of memory. This
    could shut down the Internet Mail Service or could cause the server to
    stop responding because of a low memory condition. In Exchange 2000
    Server, a security vulnerability exists that could allow an
    unauthenticated attacker to connect to the SMTP port on an Exchange
    server and issue a specially-crafted extended verb request. That request
    could cause a denial of service that is similar to the one that could
    occur on Exchange 5.5. Additionally, if an attacker issues the request
    with carefully chosen data, the attacker could cause a buffer overrun
    that could allow the attacker to run malicious programs of their choice
    in the security context of the SMTP service.
    This email is sent to NTBugtraq automatically as a service to my
    subscribers. (v2.0)

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Russ: "Alert: Microsoft Security Bulletin MS03-045 - Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141)"

    Relevant Pages

    • Alert: Microsoft Security Bulletin MS03-046 - Vulnerability in Exchange Server Could Allow Arbitrary
      ... * Microsoft Exchange Server 5.5, ... a security vulnerability exists in the Internet ... Mail Service that could allow an unauthenticated attacker to connect to ...
      (NT-Bugtraq)
    • Re: Event ID 12800
      ... 325044 How to troubleshoot virtual memory fragmentation in Exchange Server ... Run Microsoft Exchange Server Best Practices Analyzer Today ... > Two outlook clients meet a synchronisation problem as you ... > 10:45:30 Synchronizing Mailbox 'Schalbroeck, ...
      (microsoft.public.exchange2000.information.store)
    • offline address book cant be downloaded;Rebuild offline address book fails
      ... When trying to download Microsoft Exchange offline ... MAPI or an unspecified service provider. ... The attempt to log on to the Microsoft Exchange Server computer has failed. ...
      (microsoft.public.exchange2000.admin)
    • Re: Client Exchange Server Connection
      ... When attempting to open Outlook 2003 on the client computer, ... The connection to the Microsoft Exchange Server is unavailable. ... I then get a Microsoft Exchange Server window to attach to the server. ...
      (microsoft.public.windows.server.sbs)
    • Re: Client Exchange Server Connection
      ... I would check the DNS first. ... When attempting to open Outlook 2003 on the client computer, ... The connection to the Microsoft Exchange Server is unavailable. ... I then get a Microsoft Exchange Server window to attach to the server. ...
      (microsoft.public.windows.server.sbs)