A Security Warning for Windows 2000
Page 1 of 1
Microsoft Corp. has issued a security bulletin for Windows 2000 users and a patch to resolve a flaw that could allow a malicious user to authenticate to the service using improper credentials for e-mail relaying.
The company said that an SMTP service installs by default as part of Windows 2000 server products, and can be selected for installation on Windows 2000 Professional.
The flaw could allow an unauthorized user to authenticate to the service using incorrect credentials. An attacker who exploited the vulnerability could gain user-level privileges on the SMTP service, thereby enabling the attacker to use the service but not to administer it. The most likely purpose in exploiting the vulnerability would be to perform mail relaying via the server, Microsoft said.
The patch is available here.
Exchange servers -- even when run on Windows 2000 -- are not affected by the vulnerability, Microsoft said. The vulnerability only affects stand-alone machines, not domain members. Customers who need SMTP services should apply the patch; all others should disable the SMTP service, the company said.