Microsoft is set to release the third service pack for its Exchange
2000 server software this month. It will include fixes for bugs
discovered as part of its lengthy review of the software
code.
The Exchange 2000 Service Pack 3, however, will be released
specifically to address issues the company discovered under its
recent Trustworthy Computing initiative, said Jim Bernardo, product
manager for the Microsoft's .net Enterprise Server team.
As part of the initiative, each division at Microsoft underwent a
code review, checking each piece of software in search of
vulnerabilities.
"We spent six or seven weeks scrubbing code" with Exchange 2000,
Bernardo said. "The service pack will include changes and fixes
based on the scrub we did."
One security feature that will be added to Exchange 2000 with the
service pack release configures the server software with all the
features "locked down" by default. To take advantage of some of the
non-essential features of the software, such as special network
extensions, administrators will have to activate the various
settings in the software manually.
The service pack will also include a security tweak that will help
prevent buffer over-runs, Bernardo said. Buffer over-runs occur
when an attacker overflows the amount of memory assigned to a
specific task on a computer. It can result in unpredictable
behaviour such as crashes, denial of service and code
execution.
No new product features will be added to Exchange 2000 with Service
Pack 3. However, one existing feature that allows Exchange to work
with Windows .net Server has been overhauled. Microsoft plans to
release Windows .net Server, the next version of Windows 2000
Server, by the end of the year.