Patch these critical vulnerabilities in Exchange Server

On Tuesday, February 10, 2009, Microsoft released its monthly patches. Included in this set was a patch for a pair of relatively easily exploitable Exchange vulnerabilities affecting all versions of Exchange since Exchange 2000 Server. Scott Lowe provides details about these vulnerabilities and direct links to update downloads.

Here's a nasty one, folks. In short, all currently supported releases of Exchange Server are vulnerable to a relatively easily exploited attack that can result in remote code execution taking place with the Exchange Server service account rights. A second vulnerability can result in a successful denial of service attack on your Exchange servers. Microsoft has released updates for these vulnerabilities.

Right from Microsoft regarding security bulletin MS09-003 (emphasis added):

"This security update resolves two privately reported vulnerabilities in Microsoft Exchange Server. The first vulnerability could allow remote code execution if a specially crafted TNEF message is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could take complete control of the affected system with Exchange Server service account privileges. The second vulnerability could allow denial of service if a specially crafted MAPI command is sent to a Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could cause the Microsoft Exchange System Attendant service and other services that use the EMSMDB32 provider to stop responding."

These vulnerabilities affect Exchange 2000 Server, Exchange Server 2003, and Exchange Server 2007 SP1. The following updates include fixes for these vulnerabilities:

These are the only versions of Exchange for which Microsoft continues to provide security updates.

If any of you happen to run across information regarding this exploit as it pertains to Exchange Server 2007 RTM, please let me know, and I'll update this post. Is anyone still running the RTM version at this point?

By Scott Lowe

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...