- Some administrators of Microsoft's Exchange 2000 Server email systems who installed a security patch posted by the software maker last Wednesday found themselves left with a malfunctioning email gateway.
"After I installed the patch, our Outlook Web Access and POP3 (Post Office Protocol 3) weren't working. Regular Outlook clients locked up," one administrator wrote in an email to IDG News Service. "After troubleshooting and finally giving up, I ... called Microsoft. Guess what? The patch caused all of our problems."
Microsoft last Friday pulled the software fix from its TechNet website and replaced the download link with a notice stating that the patch "is temporarily unavailable and will be returned to the web shortly."
A spokeswoman for Microsoft says the patch was pulled after complaints from customers.
"The Microsoft Security Response Center received reports from customers on Friday morning that there were some technical issues with the patch. The decision was made to pull the patch while investigating the issue. We take integrity of those patches very seriously and are working to get the patch back up," the spokeswoman says. She declined to give details on the technical issues and also declined to specify the number of customer complaints.
Microsoft warned in a security bulletin posted last Wednesday that a security flaw exists in the Outlook Web Access module of its Exchange 2000 Server email system. The flaw could allow an unauthorised user to access mailbox contents, according to Microsoft. The apparently faulty security patch was offered by Microsoft to plug the hole.
Outlook Web Access allows users to access their Exchange mailbox via the web, rather than using the Outlook client software on their own PC. The flaw exists in the interaction between the web access feature and its Internet Explorer Web browser, Microsoft said on Wednesday.
Using malicious code in an email attachment, a hacker could gain access to a user's mailbox and would have the ability to delete messages and folders, Microsoft said.
The Outlook Web Access feature of Exchange is activated by default when Exchange 2000 Server is installed. Microsoft's security bulletin can be viewed on the web here.