News

Update: NNTP Vulnerability Extended to Exchange 2000

Microsoft Corp. on Wednesday night updated a security warning involving its NNTP service to extend the list of affected servers to include Exchange 2000.

The original bulletin, issued Tuesday night, identified the affected products as Windows 2000 Server and Windows NT 4.0 Server.

The bug involves the Network News Transport Protocol (NNTP).

Because of a memory leak in NNTP, an attacker sending malformed NNTP posts can bring down the server in a Denial-of-Service attack. Short of installing the patch, an administrator could fix the problem by restarting the IISAdmin service.

Limiting the scope of the vulnerability was the way NNTP had to be installed on Windows servers. On Windows NT 4.0 Servers, users had to manually select and install NNTP from the Option Pack. The service is native to Windows 2000, but is not installed by default, according to Microsoft.

But Exchange 2000 installs NNTP because it is configured by default to accept NNTP posts.

“Exchange 2000 leverages the Windows 2000 NNTP service, so any Exchange 2000 servers offering NNTP need the Windows 2000 patch,” Scott Culp, the program manager for Microsoft’s Security Response Center, told ENT.

Windows NT 4.0 Server, Windows 2000 Server and Exchange 2000 all use the same implementation of the NNTP service. Exchange 5.5 Server had its own implementation, which does not share the memory leak problem.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Google IDs on Azure Active Directory B2B Service Now at 'General Availability'

    Microsoft announced on Wednesday that users of the Google identity and access service can use their personal log-in IDs with the Azure Active Directory B2B service to access resources as "guests."

  • Top 4 Overlooked Features of a Data Backup Strategy

    When it comes to implementing an airtight backup-and-recovery plan, these are the four must-have features that many enterprises nevertheless tend to forget.

  • Microsoft Bolsters Kubernetes with Azure Confidential Computing

    Microsoft on Tuesday announced various developments concerning the use of Kubernetes, an open source container orchestration solution fostered by Google.

  • Windows Will Have Support for Encrypted DNS

    Microsoft announced this week that the Windows operating system already has support for an encrypted Domain Name System option that promises to add greater privacy protections for Internet connections.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.