XWEB: Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 Server

Article translations Article translations
Article ID: 287678 - View products that this article applies to.
This article was previously published under Q287678
This article has been archived. It is offered "as is" and will no longer be updated.
Expand all | Collapse all


Exchange 2000 is affected by the same vulnerability as the Microsoft Internet Information Services (IIS) 5.0 vulnerability described in the following article in the Microsoft Knowledge Base:
286818 IIS: Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 Server
To support Web-based mail clients, Exchange 2000 introduces the ability to address items on the store via URLs. This is done in part by using IIS 5.0, and in part via code that is specific to Exchange 2000. Both pieces of code contain the flaw, but the effect of exploiting the vulnerability via either would be the same--it could be used to cause the IIS service to fail, but could not be used to attack the Exchange service itself. That is, successfully attacking an Exchange server via this vulnerability would disrupt Web-based mail clients' use of the server, but not that of MAPI-based mail clients such as Microsoft Outlook.

Mitigating factors:
  • The vulnerability would not enable the attacker to gain any administrative control over the server or to alter any data on it.
  • The affected services automatically restart in the event of a failure; therefore, an affected system would resume service almost immediately.
  • A successful attack against an Exchange server would only disrupt Web-based mail clients' use of the server. The server would continue to be available for MAPI-based clients such as Outlook.
  • The ISAPI involved in this vulnerability authenticates the user before servicing the request; therefore, a properly configured Exchange server would be at less risk than an IIS server.


IMPORTANT: Because the flaw occurs in two different code modules, one of which is installed as part of IIS 5.0 and both of which are installed as part of Exchange 2000, it is important for Exchange 2000 administrators to install both the Exchange and IIS patches below.

The following files are available for download from the Microsoft Download Center:
Exchange 2000 Server:
Collapse this imageExpand this image
Download Q287678engi386.exe now

IIS 5.0:
Collapse this imageExpand this image
Download Q286818_W2K_SP3_x86_en.exe now
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:

Component: HTTP-DAV

Collapse this tableExpand this table
File nameVersion


Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 1.


For more information about this issue, see the following Microsoft Web site:


Article ID: 287678 - Last Review: October 23, 2013 - Revision: 3.0
  • Microsoft Exchange 2000 Server Standard Edition
kbnosurvey kbarchive kbbug kbexchange2000presp1fix kbfix kbgraphxlinkcritical kbqfe KB287678

Give Feedback


Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com