Microsoft Security Bulletins for Exchange (10/12/2004)

Exchange Blog Readers,

Today Microsoft released the Security Bulletin Summary for the month of October (  In this bulletin there are a couple of fixes that relate to the Exchange Server:

Microsoft Security Bulletin MS04-035: Vulnerability in SMTP Could Allow Remote Code Execution (885881)
Microsoft Security Bulletin MS04-036: Vulnerability in NNTP Could Allow Remote Code Execution (883935)
The Exchange Team strongly suggests you install these patches on your Exchange Servers.
Chris Ahler


Comments (2)
  1. Matt Drnovscek says:

    Hi everyone,

    After giving the security bulletins a once over I’m curious to hear what how critical the Exchange teams thinks these hotfixes are for internal exchange servers. In an org like mine where my Exchange servers do not communicate directly with the internet (we have non-exchange inbound and outbound gateways) and where our exchange servers use hardened AD-integrated DNS servers I don’t think we need to install the SMTP hotfix as the exploit requires a carefully formatted DNS response. Assuming that my DNS/DCs servers are in good shape do I need to install the hotfix. If my exchange servers communicated directly with the internet I could see this as being a worthwhile hotfix.

    With the NNTP hotfix EX2K3 disables the NNTP service after install (side Q if the service is disabled why is it needed during install?) so unless the NNTP service is active you should’nt need to install the hotfix (if you’re running EX2k you may want to disable the NNTP service.

    I’m just curious to hear what the wonderfull people @ the Exchange blog think regarding my comments.

    Great BLOG, read it daily, keep up the good work.



  2. Chris Ahlers says:

    Being on the Exchange Security Team I find myself torn while replying to Matt’s questions. One side of me wants to demand that all appropriate patches are applied to all servers and desktops in all environments. However, the other side of me understands that this is not the way it works in all business environments and not everyone is so anxious to deploy Microsoft patches when they are released.

    Therefore, my suggestion is one of compromise. I would suggest that you apply these patches the next time you have scheduled downtime on these Exchange servers. I think these patches are important enough to have on your servers even if your environment does not make these vulnerabilities exploitable. There is a security term that is quite often used called “Defense in Depth” and I see these patches providing “Defense in Depth” for your environment.

    I hope this answers your concerns.


Comments are closed.

Skip to main content