Microsoft Security Bulletin MS02-011
Authentication Flaw Could Allow Unauthorized Users To Authenticate To SMTP Service
Originally posted: February 27, 2002
Updated: April 13, 2004
Who should read this bulletin:
Customers using Microsoft® Windows® 2000, Windows NT® Server 4.0 Option Pack, Exchange® Server 5.5, or Exchange Server 5.0
Impact of vulnerability:
Maximum Severity Rating:
Customers who need the Windows 2000 and Windows NT Server 4.0 SMTP services should apply the Windows patches; all others should disable the SMTP service. Customers using the Exchange Server 5.5 IMC should apply the Exchange Server 5.5 IMC patch. Customers using Exchange 5.0 may apply the workaround described in the Frequently Asked Questions section below. Exchange 5.0 is not affected by this vulnerability, but general information about securing Exchange 5.0 against mail relay is provided for your information.
- Microsoft Windows 2000
- Microsoft Windows NT Server 4.0 Option Pack
- Microsoft Exchange Server 5.5
- BindView's RAZOR Team for reporting this issue to us and working with us to protect customers.
- Mario Kuechler for reporting that NT Server 4.0 is affected as well.
- Microsoft Knowledge Base article Q313450 and Q289258 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 27, 2002): Bulletin Created.
- V2.0 (March 12, 2002): Updated to reflect that the Windows 2000 patch for MS02-012 and MS02-011 are the same.
- V2.1 (May 09, 2003): Updated download links to Windows Update.
- V3.0 April 13, 2004: Bulletin updated to advise of the availability of an update for Windows NT Server 4.0 and to advise Exchange Server 5.0 customers on how to better protect themselves.