News

Update: NNTP Vulnerability Extended to Exchange 2000

Microsoft Corp. on Wednesday night updated a security warning involving its NNTP service to extend the list of affected servers to include Exchange 2000.

The original bulletin, issued Tuesday night, identified the affected products as Windows 2000 Server and Windows NT 4.0 Server.

The bug involves the Network News Transport Protocol (NNTP).

Because of a memory leak in NNTP, an attacker sending malformed NNTP posts can bring down the server in a Denial-of-Service attack. Short of installing the patch, an administrator could fix the problem by restarting the IISAdmin service.

Limiting the scope of the vulnerability was the way NNTP had to be installed on Windows servers. On Windows NT 4.0 Servers, users had to manually select and install NNTP from the Option Pack. The service is native to Windows 2000, but is not installed by default, according to Microsoft.

But Exchange 2000 installs NNTP because it is configured by default to accept NNTP posts.

“Exchange 2000 leverages the Windows 2000 NNTP service, so any Exchange 2000 servers offering NNTP need the Windows 2000 patch,” Scott Culp, the program manager for Microsoft’s Security Response Center, told ENT.

Windows NT 4.0 Server, Windows 2000 Server and Exchange 2000 all use the same implementation of the NNTP service. Exchange 5.5 Server had its own implementation, which does not share the memory leak problem.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Windows Admin Center vs. Hyper-V Manager: What's Better for Managing VMs?

    Microsoft's preferred interface for Windows Server is Windows Admin Center, but can it really replace Hyper-V Manager for managing virtual machines? Brien compares the two management tools.

  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.