Microsoft has issued a third version of a patch intended to plug a security hole that could allow hackers access to mailboxes on Exchange Server versions 5.5 and 2000. The second patch contained outdated files, Microsoft said in an updated security bulletin issued Wednesday.
Because of the erroneous fix the e-mail system could show "performance problems ... in certain instances," the software maker said in the bulletin.
The first security update, hoped to get rid of the vulnerability, was posted exactly a week before the third one, on Wednesday, June 6. After customer complaints the patch was pulled and replaced on Friday.
Some system administrators said installing the first patch left them with a dysfunctional e-mail system; conventional Outlook clients failed and Outlook Web Access refused service. The second attempt to secure the e-mail system also caused problems for some administrators.
One administrator, who found his Exchange 2000 Server e-mail system in limbo after he installed the first patch, said he would let the new patch mature before installing.
"I will just wait until service pack 1 and for a couple of people try it out first," said a network administrator for a Silver Spring, Maryland-based consultancy firm in an e-mail.
The vulnerability exists in the Outlook Web Access module of the Exchange 2000 Server and Exchange 5.5 Server e-mail systems. Using malicious code in an e-mail attachment; a hacker could gain access to a user's mailbox, and could potentially delete messages and folders, Microsoft said in the bulletin.
Outlook Web Access allows users to access their e-mail via the Web, rather than using the Outlook client software on their own PC. The feature is activated by default on Exchange 2000 Server.