Reported October 15, 2003, by Microsoft.


  • Microsoft Exchange 2000 Server Service Pack 3 (SP3)
  • Exchange Server 5.5 SP4


·         A vulnerability in Exchange Server can result in a Denial of Service (DoS) condition or the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the Internet Mail Service that can permit an unauthenticated attacker to connect to the SMTP port on an Exchange server and issue a specially crafted extended verb request. This scenario can result in the allocation of a large amount of memory and potentially cause a buffer overrun that could permit the attacker to run malicious programs in the security context of the SMTP service.


Microsoft has released security bulletin MS03-046, "Vulnerability in Exchange Server Could Allow Arbitrary Code Execution (829436)," which addresses this vulnerability, and recommends that affected users immediately apply the appropriate patch listed in the bulletin.


Discovered by Joăo Gouveia.