Microsoft bulletin ms04 003

The Exchange System Management Tools for Exchange Server contains the vulnerable code; however, the code can only be exploited if the server is also running an active instance of the Exchange service. Therefore, customers, who are running only the Exchange System Management Tools for Exchange Server and have an active instance of the Exchange service enabled, should install the security update for Exchange Server Service Pack 2 KB to be protected from the vulnerabilities described in this bulletin.

If the Exchange service is disabled, the exploitable attack vectors discussed in this security bulletin are not exposed; however, customers may install the security update for Exchange Server Service Pack 2 KB as a defense-in-depth measure. I am a third-party application developer and I recommend that customers install Exchange System Management Tools for Exchange Server as a prerequisite in order to use my application.

How do they update it? Customers who are running only the Exchange System Management Tools for Exchange Server can install the security update for Exchange Server Service Pack 2 KB to be protected from the vulnerabilities described in this bulletin.

Where are the file information details? The file information details can be found in Microsoft Knowledge Base Article What is the difference between the servicing models for Microsoft Exchange Server and Microsoft Exchange Server , and how does the difference impact the updates in this security bulletin?

With the release of Microsoft Exchange Server , Microsoft Exchange has moved to a new servicing model based on customer feedback and consistency with other Microsoft product servicing models. Exchange Server updates are cumulative at both the offered update level and at the individual file level, while Exchange Server updates are cumulative at the file level only.

For a more detailed explanation of the Microsoft Exchange servicing model, please see the Microsoft Exchange Server product documentation.

For questions regarding the new Exchange servicing model, please contact Microsoft Product Support Services. Do I need to install the update rollup package for Exchange Server based servers in a particular sequence? Our test infrastructure helps guarantee that our updates work among multiple server roles.

Therefore, you do not have to apply an update rollup package in a required order to the Exchange servers that are running different roles. However, you should apply an update rollup package to each Exchange Server based server in your environment. This is true because the update rollups are not divided for use with different Exchange roles or for use with particular file configurations.

For other Exchange Server configurations, the order in which you apply the update rollup to the servers is not important. Why does this update address several reported security vulnerabilities? This update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.

I am using an older release of the software discussed in this security bulletin. What should I do? The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.

Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information , select the country, and then click Go to see a list of telephone numbers.

When you call, ask to speak with the local Premier Support sales manager. The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary.

For more information, see Microsoft Exploitability Index. Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update.

Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:. Systems can be configured to block certain types of files from being received as e-mail attachments. These e-mail messages contain a file attachment that stores the TNEF information.

This file attachment is usually named Winmail. Blocking this file, and blocking the ms-tnef MIME type, could help protect Exchange servers and other affected programs from attempts to exploit this vulnerability if customers cannot install the available security update. Note You cannot mitigate this vulnerability by setting the Exchange rich-text format option in Exchange Server to Never used or by disabling TNEF processing by editing the registry.

Note Exchange supports other messaging protocols, such as X. We recommend that administrators require authentication on all other client and message transport protocols to help prevent attacks using these protocols. Microsoft technical documentation The home for Microsoft documentation and learning for developers and technology professionals. Documentation Search our expansive documentation resources for Microsoft products.

Learn Discover training paths by role, subject matter, or technology. Code Samples Explore our samples and discover the things you can build. Featured Microsoft Learn Whether you're just starting or an experienced professional, our hands-on approach helps you arrive at your goals faster, with more confidence and at your own pace.

Learning paths Learn on your own schedule. Certifications Become Microsoft certified. Note : When you install this security update on a Windows Server based computer or on a Windows XP Bit Edition Version based computer, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix.

If you have previously installed a hotfix to update one of these files, the installer copies the RTMQFE files to your computer. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:.

The Microsoft Baseline Security Analyzer MBSA allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. You may also be able to verify the files that this security update installed by reviewing the following registry key:. Note: This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the security update into the Windows installation source files.

To install the security update without any user intervention, use the following command at a command prompt for Windows XP:. To install the security update without forcing the computer to restart, use the following command at a command prompt for Windows XP:. For additional information about dual-mode packages, click the following article number to view the article in the Microsoft Knowledge Base:.

Note: When you install the Windows XP Bit Edition Version security update, the installer checks to see if any of the files that are being updated on your computer have previously been updated by a Microsoft hotfix. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: Description of the Contents of a Windows Server Product Update Package. To install the security update without any user intervention, use the following command at a command prompt for Windows Service Pack 2, Windows Service Pack 3, Windows Service Pack To install the security update without forcing the computer to restart, use the following command at a command line prompt for Windows Service Pack 2, Windows Service Pack 3, Windows Service Pack This security update requires Windows NT Workstation 4.

To install the security update without any user intervention, use the following command at a command prompt for Windows NT Server 4. To install the security update without forcing the computer to restart, use the following command at a command prompt for Windows NT Server 4. System administrators can also use the Hotfix. The Hotfix. Microsoft thanks the following for working with us to help protect customers:.

Systems Management Server can provide assistance deploying this security update. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.

The SMS 2. Even though Kerberos is enabled and used by default when an Exchange Server front-end component authenticates to the back-end Exchange server, there are situations when Kerberos authentication is explicitly disabled on the back-end server, and therefore only NTLM authentication is available.

What is Outlook Web Access? Outlook Web Access is a feature of Exchange Server. By using OWA, a server that is running Exchange Server can also function as a Web site that lets authorized users read or send e-mail messages, manage their calendar, or perform other mail functions over the Internet by using a Web browser. What are front-end and back-end Exchange servers?

Exchange can be deployed so that end users with mailboxes on multiple servers can all connect to a single front-end Exchange server. This front-end server in turn connects "proxies" to the appropriate back-end servers where mailboxes are actually stored. Kerberos and NTLM are two different authentication protocols. Kerberos is the preferred Windows authentication protocol.

It is used whenever possible and is the default protocol that Exchange Server uses between front-end and back-end Exchange servers for Outlook Web Access. NTLM authentication can be used as an alternate method when Kerberos authentication is unavailable.

To do so, use the following command-line commands:. I did not change any default security settings on my Exchange server.

Is there any other way Kerberos might have been disabled on the Web site hosting the Exchange programs on the back-end Exchange server? Who could exploit the vulnerability? To exploit this vulnerability, an attacker would have to be an authorized user who has a mailbox on the same back-end Exchange server and who could first authenticate through OWA by using valid credentials. The mailbox that an attacker could access is random and cannot be predicted.

It is also not certain that the attacker would get connected to another user's mailbox at all. What could this vulnerability allow an attacker to do? An authenticated user who gained access to another user's mailbox that is hosted on the same Exchange system could perform any action that the legitimate user could do through OWA. This includes reading, sending, and deleting e-mail messages in the user's mailbox.

What systems are primarily at risk from the vulnerability? The back-end server must be running Exchange Server on Windows Server