News

Update: NNTP Vulnerability Extended to Exchange 2000

Microsoft Corp. on Wednesday night updated a security warning involving its NNTP service to extend the list of affected servers to include Exchange 2000.

The original bulletin, issued Tuesday night, identified the affected products as Windows 2000 Server and Windows NT 4.0 Server.

The bug involves the Network News Transport Protocol (NNTP).

Because of a memory leak in NNTP, an attacker sending malformed NNTP posts can bring down the server in a Denial-of-Service attack. Short of installing the patch, an administrator could fix the problem by restarting the IISAdmin service.

Limiting the scope of the vulnerability was the way NNTP had to be installed on Windows servers. On Windows NT 4.0 Servers, users had to manually select and install NNTP from the Option Pack. The service is native to Windows 2000, but is not installed by default, according to Microsoft.

But Exchange 2000 installs NNTP because it is configured by default to accept NNTP posts.

“Exchange 2000 leverages the Windows 2000 NNTP service, so any Exchange 2000 servers offering NNTP need the Windows 2000 patch,” Scott Culp, the program manager for Microsoft’s Security Response Center, told ENT.

Windows NT 4.0 Server, Windows 2000 Server and Exchange 2000 all use the same implementation of the NNTP service. Exchange 5.5 Server had its own implementation, which does not share the memory leak problem.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus