Microsoft releases patches for Windows and Exchange SMTP DoS

During the recent patch Tuesday a collection of patches were released to address an SMTP denial of service vulnerability within both Windows and Exchange SMTP.

Vulnerabilities addressed include: 

CVE-2010-0024 – The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2003 SP2, does not properly parse MX records, which allows remote DNS servers to cause a denial of service (service outage) via a crafted response to a DNS MX record query, aka “SMTP Server MX Record Vulnerability.”

CVE-2010-0025 – The SMTP component in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, and Server 2008 Gold, SP2, and R2, and Exchange Server 2000 SP3, does not properly allocate memory for SMTP command replies, which allows remote attackers to read fragments of e-mail messages by sending a series of invalid commands and then sending a STARTTLS command, aka “SMTP Memory Allocation Vulnerability.”

Patch locations below:

Operating System Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update
Microsoft Windows      
Microsoft Windows 2000 Service Pack 4
(KB976323)
Denial of Service Important None
Windows XP Service Pack 2 and Windows XP Service Pack 3
(KB976323)
Denial of Service Important None
Windows XP Professional x64 Edition Service Pack 2
(KB976323)
Denial of Service Important None
Windows Server 2003 Service Pack 2
(KB976323)
Denial of Service Important None
Windows Server 2003 x64 Edition Service Pack 2
(KB976323)
Denial of Service Important None
Windows Server 2003 with SP2 for Itanium-based Systems
(KB976323)
Denial of Service Important None
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2**
(KB976323)
Denial of Service Important None
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2**
(KB976323)
Denial of Service Important None
Windows Server 2008 R2 for x64-based Systems**
(KB976323)
Denial of Service Important None
Microsoft Server Software      
Microsoft Exchange Server 2000 Service Pack 3
(KB976703)
Information Disclosure Moderate None
Microsoft Exchange Server 2003 Service Pack 2
(KB976702)
Denial of Service Important None
Microsoft Exchange Server 2007 Service Pack 1 for x64-based Systems
(KB981407)
None None[1] None
Microsoft Exchange Server 2007 Service Pack 2 for x64-based Systems
(KB981383)
None None[1] None
Microsoft Exchange Server 2010 for x64-based Systems
(KB981401)
None None[1] None