Microsoft Security Bulletin MS03-046
Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)
Issued: October 15, 2003
Updated: April 13, 2004
Version Number: 2.0
Who Should Read This Document:
System administrators who have servers running Microsoft® Exchange Server
Impact of Vulnerability:
Remote Code Execution
Maximum Severity Rating:
System administrators should apply the security patch to Exchange servers immediately
Tested Software and Patch Download Locations:
- Microsoft Exchange Server 5.0, Service Pack 2 -Download the patch
- Microsoft Exchange Server 5.5, Service Pack 4 - Download the patch
- Microsoft Exchange 2000 Server, Service Pack 3 - Download the patch
Non Affected Software:
- Microsoft Exchange Server 2003
The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected.
Microsoft thanks the following for working with us to protect customers:
- João Gouveia for reporting the issue described in MS03-046.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the Windows Update web site
- Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches.
- The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
- Microsoft Software Update Services: http://www.microsoft.com/sus/
- Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool.
- Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
- Windows Update: http://windowsupdate.microsoft.com
- Office Update: http://office.microsoft.com/officeupdate/
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 October 15, 2003: First Published.
- V1.1 October 22, 2003: Removed unnecessary information from "Deployment" in the "Exchange Server 5.5 Service Pack 4" section of "Security Patch Information."
- V1.2 November 11, 2003: Corrected file sizes under "Security Patch Information" "Exchange Server 5.5 Service Pack 4". Added information about Exchange 2000 Post-Service Pack 3 (SP3) Rollup Patch.
- V2.0 April 13, 2004: Bulletin updated to advise of the availability of an update for Exchange Server 5.0