Microsoft fixes Exchange security flaw

Microsoft has issued a patch to fix a security vulnerability that could allow a hacker to log in remotely to early versions of Exchange 2000 Server and potentially access other resources on the same domain.

In a security notice Microsoft said: "This vulnerability could potentially allow an unauthorised user to remotely login to an Exchange 2000 Server and possibly other servers on the affected computer's network."

The problem exists because in earlier shipments of Exchange2000, the setup utility creates an account with a known user name and password. If an attacker discovered this name they could log onto the account, and more seriously, if Exchange 2000 were installed on a server acting as a domain controller, the account would have domain user privileges allowing access to other systems on the affected domain.

Even in this case, however, a user would still be restricted from accessing Exchange 2000 data, which security experts said mitigated against the severity of the risk.

Microsoft admitted that the issue only exists because of a security oversight during development. "This account was included in Exchange 2000 during the beta program while the current method of handling workflow and event scripts was developed. It was intended to be removed from the final shipping product; however, due to a production error, it was not actually removed from some early shipments," the company said.

Users vulnerable to the problem include those running Microsoft Exchange 2000 Server CDs, and Microsoft Exchange 2000 Enterprise Server CDs, without "Rev. A" stamped on the CD on the line below the part number.

Roy Hills, testing development director at security testers NTA Monitor, said that the use of default usernames and passwords was more of a practical problem for users where it concerned network hardware, rather than application software, such as Exchange, where the login is protected by other measures.

"Even when Exchange is made available over the internet, it is offered using Outlook Web access, and users would have to authenticate themselves first onto remote access servers," said Hills.

More information on the issue, and a link to a patch, is available on Microsoft's website . Microsoft also recommends that users disable or delete the account after setup is completed. The patch will be included in the first service pack for Exchange 2000.