Microsoft Security Bulletin MS00-082 - Critical
Patch Available for 'Malformed MIME Header' Vulnerability
Published: October 31, 2000 | Updated: April 13, 2004
Originally posted: October 31, 2000
Updated: April 13, 2004
Microsoft® has released a patch that eliminates a security vulnerability in Exchange Server 5.0 and Exchange Server 5.5. The vulnerability could enable a malicious user to cause an Exchange server to fail.
- Microsoft Exchange Server 5.0
Microsoft Exchange Server 5.5
Note: Exchange 2000 Server is not affected by the vulnerability.
Vulnerability Identifier: CVE-2000-1006
Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Exchange Server 5.0. Microsoft has updated the bulletin with additional information about Exchange Server 5.0 and also to direct users to a security update for this additional affected platform. This security update for Exchange 5.0 is a cumulative rollup package that also addresses the vulnerabilities discussed in MS01-041 and MS03-046. You need only install this security update once to be protected against all three vulnerabilities.
As part of its normal processing of incoming mails, Exchange server checks for invalid values in the MIME header fields. However, if a particular type of invalid value is present in certain fields, the Exchange service will fail. Normal operations can be restored by restarting the Exchange service and deleting the offending mail.
There is no capability via this vulnerability to add, delete or modify emails, nor is there any capability to usurp administrative privileges on the server. The vulnerability can be eliminated by applying the patch if running Exchange Server 5.0. If running Exchange Server 5.5 either by applying the patch or install Exchange Server 5.5 Service Pack 4 will eliminate the vulnerability. Exchange 2000 Server is not affected by the vulnerability.
Why is Microsoft reissuing this bulletin?
Subsequent to the release of this bulletin, it was determined that the vulnerability addressed also affects Exchange Server 5.0. Microsoft has updated the bulletin with additional information about Exchange Server 5.0 and also to direct users to an update for this additional affected platform. This security update for Exchange 5.0 is a cumulative rollup package that also addresses the vulnerabilities discussed in MS01-041 and MS03-046. You need only install this security update once to be protected against all three vulnerabilities.
What's this bulletin about?
Microsoft Security Bulletin MS00-082 announces the availability of a patch that eliminates a vulnerability in Microsoft Exchange Server. The vulnerability could enable a malicious user to prevent an affected mail server from providing service. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service vulnerability. It could enable a malicious user to create an email that, when processed by an affected mail server, would cause the Exchange service to fail. The vulnerability would not enable the malicious user to compromise data or gain any additional privileges on the server.
The server could be returned to normal service by restarting the Exchange service and removing the malformed email from the message queue. The fix for this issue also is available via Exchange Server 5.5 Service Pack 4, and customers who apply Service Pack 4 do not need to apply the patch. Exchange 2000 Server is not affected by the vulnerability.
What causes the vulnerability?
Exchange Server 5.0 and Exchange Server 5.5 do not properly handle emails with a certain type of invalid MIME header. If a malicious user sent such an email to an affected server, it would cause the Exchange service to fail.
MIME (Multipurpose Internet Mail Extensions) is a set of extensions to the original Internet mail standard. The original standard, discussed in RFC 822, had two significant limitations. First, only US ASCII text was supported. Second, every mail, no matter how long, had to be transmitted as a single block of text. The MIME extensions, discussed in RFCs 2045, 2046, 2047, 2048, and 2049, are designed to eliminate these limitations. They provide a standard for encoding mail using different language character sets, for creating mails that contain non-textual content, and for segmenting mails into pieces that can be sent separately.
What are MIME Headers?
MIME introduced some additional complexity into Internet mail processing. In the original Internet mail standard, the data could only be text; however, under MIME, the data could represent graphics, music, text (in any of a variety of languages), and so forth. There has to be a way for the mail to indicate what type of data it contains, directives for the mail server, and so forth. All of this information is conveyed via a special set of data at the start of a MIME mail called MIME Headers.
What's wrong with the way Exchange handles MIME Headers?
Whenever a new mail arrives at an Exchange server, the Exchange service reads the MIME headers as part of the processing of the mail. However, if the MIME headers contain a particular type of invalid values, Exchange will fail. Only a very specific type of invalid data will cause the service to fail.
What could a malicious user use the vulnerability to do?
A malicious user could create an email containing the malformed MIME headers at issue here, and then send it to an affected Exchange server in order to prevent the server from providing mail service.
Could the malicious user exploit this vulnerability to delete mail, or take over the server?
No. This is a denial service vulnerability only. The only thing that can be done via the vulnerability is to cause the Exchange service to fail.
What would be required to put the server back into normal operation?
The server operator would need to restart the Exchange service, and then delete the offending mail from the queue. It would not be necessary to reboot the server.
How could I tell which mail was the one that caused the Exchange service to fail?
The offending mail would be at the front of the queue after the Exchange service was restarted.
Could this vulnerability be exploited by accident?
It's extremely unlikely. No legitimate mail client creates emails containing the type of invalid data at issue in this vulnerability.
Is there any other way to eliminate the vulnerability?
Yes. Exchange Server 5.5 Service Pack 4 also eliminates the vulnerability. Customers who apply the service pack do not need to apply the patch.
In general, Microsoft always recommends that service packs, rather than security patches, be used as the primary means of eliminating security vulnerabilities. A discussion of the rationale behind this recommendation is available on the Microsoft Security Web Site.
Does this vulnerability affect Exchange 2000 Server?
Who should use the patch?
Microsoft recommends that customers using Exchange Server 5.0 apply the patch and for customers using Exchange Server 5.5 apply either the patch or Service Pack 4.
What does the patch do?
The patch eliminates the vulnerability by causing Exchange to treat the malformed headers at issue here as invalid data.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
How do I use the patch?
The Knowledge Base article contains detailed instructions for applying the patch to your site.
How can I tell if I installed the patch correctly?
The Knowledge Base article provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Exchange Server 5.0:
- Exchange Server 5.5:
Note: The patch for Exchange 5.0 can be applied on systems running Exchange Server 5.0 Service Pack 2. The patch for Exchange 5.5 can be applied on systems running Exchange Server 5.5 Service Pack 3. It is included in Exchange Server 5.5 Service Pack 4.
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- For Exchange Server 5.5, Microsoft Knowledge Base (KB) article Q275714, http://support.microsoft.com/default.aspx?scid=kb;en-us;275714&sd=tech
- For Exchange Server 5.0, Microsoft Knowledge Base (KB) article 834130, http://support.microsoft.com/default.aspx?scid=kb;en-us;834130&sd=tech
Microsoft thanks Art Savelev for reporting this issue to us and working with us to protect customers.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- October 31, 2000: Bulletin Created.
- V2.0 April 13, 2004: Bulletin updated to advise of the availability of an update for Exchange Server 5.0.
Built at 2014-04-18T13:49:36Z-07:00