News

Update: NNTP Vulnerability Extended to Exchange 2000

Microsoft Corp. on Wednesday night updated a security warning involving its NNTP service to extend the list of affected servers to include Exchange 2000.

The original bulletin, issued Tuesday night, identified the affected products as Windows 2000 Server and Windows NT 4.0 Server.

The bug involves the Network News Transport Protocol (NNTP).

Because of a memory leak in NNTP, an attacker sending malformed NNTP posts can bring down the server in a Denial-of-Service attack. Short of installing the patch, an administrator could fix the problem by restarting the IISAdmin service.

Limiting the scope of the vulnerability was the way NNTP had to be installed on Windows servers. On Windows NT 4.0 Servers, users had to manually select and install NNTP from the Option Pack. The service is native to Windows 2000, but is not installed by default, according to Microsoft.

But Exchange 2000 installs NNTP because it is configured by default to accept NNTP posts.

“Exchange 2000 leverages the Windows 2000 NNTP service, so any Exchange 2000 servers offering NNTP need the Windows 2000 patch,” Scott Culp, the program manager for Microsoft’s Security Response Center, told ENT.

Windows NT 4.0 Server, Windows 2000 Server and Exchange 2000 all use the same implementation of the NNTP service. Exchange 5.5 Server had its own implementation, which does not share the memory leak problem.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • SharePoint Online Users To Get 'Modern' UI Push in April

    Microsoft plans to alter some of the tenant-level blocking capabilities that may have been set up by organizations and deliver its so-called "modern" user interface (UI) to Lists and Libraries for SharePoint Online users, starting in April.

  • How To Use PowerShell Splatting

    Despite its weird name, splatting can be a really handy technique if you create a lot of PowerShell scripts.

  • New Microsoft Customer Agreement for Buying Azure Services To Start in March

    Microsoft will have a new approach for organizations buying Azure services called the "Microsoft Customer Agreement," which will be available for some customers starting as early as this March.

  • Windows 7 To Fall Out of Support in One Year

    January 14 marks a one-year period before the end of support for Windows 7.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.