Microsoft Corp. has issued a security bulletin for Windows 2000 users and a
patch to resolve a flaw that could allow a malicious user to authenticate to the service using improper credentials for
The company said that an SMTP service installs by default as part of Windows
2000 server products, and can be selected for installation on Windows 2000
The flaw could allow an unauthorized user to authenticate to the service
using incorrect credentials. An attacker who exploited the vulnerability
could gain user-level privileges on the SMTP service, thereby enabling the
attacker to use the service but not to administer it. The most likely purpose
in exploiting the vulnerability would be to perform mail relaying via the
server, Microsoft said.
The patch is available here.
Exchange servers — even when run on Windows 2000 — are not affected by the
vulnerability, Microsoft said. The vulnerability only affects stand-alone
machines, not domain members. Customers who need SMTP services should apply
the patch; all others should disable the SMTP service, the company said.