You are currently offline, waiting for your internet to reconnect

XWEB: Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 Server

This article was previously published under Q287678
This article has been archived. It is offered "as is" and will no longer be updated.
SYMPTOMS
Exchange 2000 is affected by the same vulnerability as the Microsoft Internet Information Services (IIS) 5.0 vulnerability described in the following article in the Microsoft Knowledge Base:
286818 IIS: Malformed URL Can Cause Service Failure in IIS 5.0 and Exchange 2000 Server
To support Web-based mail clients, Exchange 2000 introduces the ability to address items on the store via URLs. This is done in part by using IIS 5.0, and in part via code that is specific to Exchange 2000. Both pieces of code contain the flaw, but the effect of exploiting the vulnerability via either would be the same--it could be used to cause the IIS service to fail, but could not be used to attack the Exchange service itself. That is, successfully attacking an Exchange server via this vulnerability would disrupt Web-based mail clients' use of the server, but not that of MAPI-based mail clients such as Microsoft Outlook.

Mitigating factors:
  • The vulnerability would not enable the attacker to gain any administrative control over the server or to alter any data on it.
  • The affected services automatically restart in the event of a failure; therefore, an affected system would resume service almost immediately.
  • A successful attack against an Exchange server would only disrupt Web-based mail clients' use of the server. The server would continue to be available for MAPI-based clients such as Outlook.
  • The ISAPI involved in this vulnerability authenticates the user before servicing the request; therefore, a properly configured Exchange server would be at less risk than an IIS server.
RESOLUTION
IMPORTANT: Because the flaw occurs in two different code modules, one of which is installed as part of IIS 5.0 and both of which are installed as part of Exchange 2000, it is important for Exchange 2000 administrators to install both the Exchange and IIS patches below.

The following files are available for download from the MicrosoftDownload Center:
For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to Obtain Microsoft Support Files from Online Services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file.

The English version of this fix should have the following file attributes or later:

Component: HTTP-DAV

File nameVersion
Davex.dll6.0.4418.54
STATUS
Microsoft has confirmed that this is a problem in Microsoft Exchange 2000 Server. This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 1.
MORE INFORMATION
For more information about this issue, see the following Microsoft Web site:
dos denial of service
Properties

Article ID: 287678 - Last Review: 10/23/2013 16:06:05 - Revision: 3.0

Microsoft Exchange 2000 Server Standard Edition

  • kbnosurvey kbarchive kbbug kbexchange2000presp1fix kbfix kbgraphxlinkcritical kbqfe KB287678
Feedback