The Exchange bug, at its worst, would allow a malicious hacker to access the server's system registry, gaining details about the software running on the system, or changing the registry. Microsoft rates the problem as a low risk, while an advisory from security firm WatchGuard Technologies classed it as a medium risk. The problem is with the Microsoft Exchange System Attendant, which helps maintain the Exchange system. To allow remote administration of the server, the System Attendant changes to the permissions of the Windows Registry. However, it incorrectly gives the "Everyone" group privileges to access the registry, something only administrators should normally have. Microsoft cautions that although this privelege only allows users to view the registry, an incorrectly configured registry could allow them the ability to modify registry settings. The information in the registry could also help hackers launch an attack on the Exchange server. Microsoft's patch for the Exchange Server 2000 is here. This week Microsoft plans to release a patch for a bug with MSN Messenger that allowed any Web site to grab a visitor's IM nickname and buddy list. A few days ago, gamers had problems connecting to the Microsoft Network owing to a glitch with the company's Passport log-in service. In August, Microsoft patched a hole in Hotmail that could allow a person's email to be read by others. ZDNet US' Robert Lemos contributed to this report.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Go to the Security forum.
Let the editors know what you think in the Mailroom.
