Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » With exchanges new bug, I can get anyones email! SPAM!

With exchanges new bug, I can get anyones email! SPAM!

by Majik on September 10th, 2001 A bug in e-mail server software from Microsoft could provide valuable information to attackers and junk e-mailers, the software firm has acknowledged.


A bug in e-mail server software from Microsoft could provide valuable information to attackers and junk e-mailers, the software firm has acknowledged.


The flaw, in Microsoft's Exchange Server version 5.5, allows unauthenticated users to obtain a list of the e-mail addresses of all users on the server. Exchange 5.5 is a messaging and collaboration platform used by many corporations and Internet service providers.





Microsoft has categorized the bug as an "information disclosure vulnerability." Besides enabling spammers to harvest a collection of e-mail addresses, the flaw could give hackers "reconnaissance information" with which to exploit other weaknesses in a network, the company said.





According to Microsoft, the bug only affects Exchange 5.5 installations that have enabled Outlook Web Access (OWA), a feature that allows Exchange users to access their e-mail using a Web browser instead of an e-mail program.





While Exchange 2000 also supports OWA, the flaw does not affect Microsoft's latest e-mail server, the company said.





According to a Microsoft security bulletin dated Sept. 6, the bug does not allow attackers to create, send, read, change or delete mail on the server. Microsoft has released a patch that closes the hole.





The Exchange 5.5 OWA vulnerability was reported to Microsoft by SecuriTeam, a unit of Israeli security firm Beyond Security. An advisory, with information on how to exploit the flaw, was posted to security mailing lists by SecuriTeam last Friday.





Using a specially crafted hypertext transfer protocol (HTTP) request, an attacker could search a vulnerable Exchange server's global address list - a feature meant to be restricted to authorized users, SecuriTeam said.





Earlier this year, Microsoft acknowledged a flaw in the native mail service in Windows 2000 that enables an unauthorized user to conduct mail relaying through the server. Microsoft released a patch for the Windows 2000 SMTP server flaw in July.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »