Microsoft says what one Exchange user considers a security hole in Exchange Server 5.0 is unlikely to affect most people and that there are ways to reduce even that minimal risk.
Last week, Rajiv Pant, head of technical development for Philadelphia Online, reported that the Exchange 5.0 service POP3 connector caches old passwords for an indefinite period. Pant said this could let somebody who knows a user's password log on to the server.
Rob Shurtleff, Microsoft's group manager for Exchange marketing, says the behavior applies only to clear-text passwords. He says Microsoft recommends the use of more secure password systems, such as NT challenge and response. This is supported by both Exchange and the Outlook Express 4.0 client and any other Outlook client with the most recent POP3 driver.
Shurtleff says that, in any case, the server automatically flushes the cache within 15 minutes after a user logs off the system - or within two hours if the user stays connected - rendering the old passwords useless.
Shurtleff says administrators can reduce these times through the standard configuration system that comes with Exchange. However, he said reducing the caching time could degrade performance to some extent.
Shurtleff says Microsoft will post an article in its KnowledgeBase discussing the issue. The article ID will be Q166620.
Pant could not be reached for comment.