Microsoft patches Exchange 2000 loophole

Microsoft has issued a patch to fix a security vulnerability that could allow a hacker to log in remotely to early versions of the company's Exchange 2000 Server and potentially access other resources on the same domain.

In a security notice, Microsoft said: "This vulnerability could potentially allow an unauthorised user to remotely log in to an Exchange 2000 Server and possibly other servers on the affected computer's network."

The problem exists because in early shipments of Exchange 2000, the set-up utility creates an account with a known user name and password.

If an attacker discovered this name they could log on to the account and, more seriously, if Exchange 2000 was installed on a server acting as a domain controller, the account would have domain user privileges allowing access to other systems on the affected domain.

However, even in this case, a user would still be restricted from gaining access to Exchange 2000 data, which security experts said moderated the severity of the risk. Microsoft admitted that the issue exists only because of a security oversight during development.

A company statement said: "This account was included in Exchange 2000 during the beta program while the current method of handling workflow and event scripts was developed. It was intended to be removed from the final shipping product. But due to a production error, it was not actually removed from some early shipments."

Users vulnerable to the problem include those running Microsoft Exchange 2000 Server CDs and Microsoft Exchange 2000 Enterprise Server CDs, without 'Rev. A' stamped on the CD on the line below the part number.

Roy Hills, testing development director at security tester NTA Monitor, said the use of default user names and passwords was more of a practical problem for users where it concerned network hardware, rather than software. "Even when Exchange is made available over the internet, it is offered using Outlook web access, and users would have to authenticate themselves first onto remote access servers," he said.

More information and a link to a patch is available at www.microsoft.com.