Exploit Out For Exchange Bug

A security company with vulnerability expertise has released a denial-of-service exploit against Microsoft Exchange's calendar, the same feature patched earlier this week that has analysts worried about a worm, Symantec said Thursday.

Immunity Security, which markets the CANVAS exploit tool, has added the capability to launch a denial-of-service (DoS) attack against Exchange, Microsoft's mail server software, Symantec said in an alert to enterprise customers.

"This closely follows the initial release of the fuzzer targeting the same service," Symantec said. On Wednesday, Immunity unveiled a stress-test tool, a "fuzzer," that hammered on one of the two calendar functions mentioned in Microsoft's MS06-019 security bulletin.

Symantec isn't sure if the Immunity exploit targets the same vulnerability that Microsoft patched, or is an attack against a new zero-day bug.

Because Immunity only releases its exploits to users of the CANVAS framework, Symantec said it was "unlikely" that it would leak to hackers in the near future.In the past, however, Immunity's development of an exploit has been followed by independent work by hackers. In October 2005, for instance, Immunity released an exploit for a bug patched the previous day by Microsoft; by the end of November, others had come up with their own attacks.

Symantec recommended that companies not only patch the vulnerability fixed in MS06-019, but also apply the workarounds outlined in the bulletin in case the Immunity exploit is aimed an unpatched problem.