[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Patch Available for "Malformed MIME Header" Vulnerability

Title: Patch Available for "Malformed MIME Header" Vulnerability
Released by: MS
Date: 31st October 2000
Printable version: Click here
The following is a Security  Bulletin from the Microsoft Product Security

Notification Service.



Please do not  reply to this message,  as it was sent  from an unattended

mailbox.

                    ********************************



-----BEGIN PGP SIGNED MESSAGE-----



Microsoft Security Bulletin (MS00-082)

- --------------------------------------



Patch Available for "Malformed MIME Header" Vulnerability



Originally posted: October 31, 2000



Summary

=======

Microsoft has released a patch that eliminates a security

vulnerability in Microsoft(r) Exchange Server 5.5. The  vulnerability

could enable a malicious user to cause an Exchange server to fail.



Frequently asked questions regarding this vulnerability

and the patch can be found at

http://www.microsoft.com/technet/security/bulletin/fq00-082.asp



Issue

=====

As part of its normal processing of incoming mails, Exchange server

checks for invalid values in the MIME header fields.  However, if a

particular type of invalid value is present in certain fields, the

Exchange service will fail. Normal  operations can be restored by

restarting the Exchange service and deleting the offending mail.



There is no capability via this vulnerability to add, delete or

modify emails, nor is there any capability to usurp  administrative

privileges on the server. The vulnerability can be eliminated either

by apply the patch or Exchange 5.5  Service Pack 4, which is due to

be released shortly. Exchange 2000 is not affected by the

vulnerability.



Affected Software Versions

==========================

 - Microsoft Exchange Server 5.5



Note: Exchange Server 2000 is not affected by the vulnerability.



Patch Availability

==================

 - Microsoft Exchange Server 5.5:

   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25443



Note: This patch can be applied atop systems running Exchange Server

5.5 Service Pack 3. It is included in Exchange Server  5.5 Service

Pack 4.



Note: Additional security patches are available at the Microsoft

Download Center



More Information

================

Please see the following references for more information related to

this issue.

 - Frequently Asked Questions: Microsoft Security Bulletin MS00-082,

   http://www.microsoft.com/technet/security/bulletin/fq00-082.asp

 - Microsoft Knowledge Base article Q275714 discusses this issue

   and will be available soon.

 - Microsoft TechNet Security web site,

   http://www.microsoft.com/technet/security/default.asp



Obtaining Support on this Issue

===============================

This is a fully supported patch. Information on contacting Microsoft

Product Support Services is available at

http://support.microsoft.com/support/contact/default.asp.



Acknowledgments

===============

Microsoft thanks  Art Savelev (http://www.savelev.com) for reporting

this issue to us and working with us to protect  customers.



Revisions

=========

 - October 31, 2000: Bulletin Created.



- -------------------------------------------------------



THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED

"AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT  DISCLAIMS ALL

WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF

MERCHANTABILITY AND FITNESS FOR A PARTICULAR  PURPOSE. IN NO EVENT

SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY

DAMAGES WHATSOEVER INCLUDING DIRECT,  INDIRECT, INCIDENTAL,

CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF

MICROSOFT CORPORATION OR ITS  SUPPLIERS HAVE BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION

OR LIMITATION OF  LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES

SO THE FOREGOING LIMITATION MAY NOT APPLY.



Last Updated October 31, 2000



(c) 2000 Microsoft Corporation. All rights reserved. Terms of use.





-----BEGIN PGP SIGNATURE-----

Version: PGP Personal Privacy 6.5.3



iQEVAwUBOf9XV40ZSRQxA/UrAQEYPwgAqZ/u3ycHUeYXTvtF1Wy9vWcLmNlmR5df

8ZUOLNgQ+wL7GnMSZX81BEVQoAEmEZDnZ9s00NWQ/ci+aKgnHbE5HPcccUd5m2SE

aPLw5pyTQHgVFkvVkVK4TPLz2kVFhO5TVoxFBlZ1nXycCxSOmGj/CPw7zEY85/Yy

Stf6ZD0Y+G2P24VqT6pzCc445CzD750C02DxGynPcQrvTEwvnF/SY/sfGpFkU42B

BE6umnzYOjqR6ZeCYliiC9DDMS3LQQ0FbUfU9hnSC02iGaXc2+kY3NiuIRg+XkMj

d4R92vOoI8FuLU2VKDh2/MJtVvmeZdpOPw5F8Ik3O2p1GqcTA/pNyA==

=g3xt

-----END PGP SIGNATURE-----



   *******************************************************************

You have received  this e-mail bulletin as a result  of your registration

to  the   Microsoft  Product  Security  Notification   Service.  You  may

unsubscribe from this e-mail notification  service at any time by sending

an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST@ANNOUNCE.MICROSOFT.COM

The subject line and message body are not used in processing the request,

and can be anything you like.



To verify the digital signature on this bulletin, please download our PGP

key at http://www.microsoft.com/technet/security/notify.asp.



For  more  information on  the  Microsoft  Security Notification  Service

please  visit  http://www.microsoft.com/technet/security/notify.asp.  For

security-related information  about Microsoft products, please  visit the

Microsoft Security Advisor web site at http://www.microsoft.com/security.








(C) 1999-2000 All rights reserved.