Microsoft Corp. issued a security bulletin late Thursday warning of a hole in the Windows 2000 operating system that allows intruders to relay spam e-mail from a remote PC.
The Redmond, Washington, software maker acknowledged the vulnerability, which was discovered in the Windows 2000 Simple Mail Transfer Protocol (SMTP) service, a standard protocol used for sending and receiving e-mail. The company issued a patch for the hole, available for download from its Web site, and said it would be included in the Windows 2000 Service Pack 3.
Microsoft said the vulnerability could allow an unauthorized user to successfully authenticate to the SMTP service using false credentials, and gain user-level privileges. The most likely reason for exploiting the vulnerability, the company noted, would be to send unidentifiable bulk mail.
"This vulnerability results because of an authentication error in the Windows 2000 SMTP service that installs by default as part of Windows 2000 Server products and optionally on Windows 2000 Professional," Microsoft said in the bulletin. "Download (the patch) now to prevent a malicious user from using your computer for mail relaying."
PCs that are members of a domain or run on Microsoft's Exchange 2000 Server are not affected by the vulnerability, Microsoft said. Customers who use SMTP services on their machines should apply the patch. Those who don't should disable the service, the company said.
The security bulletin is available online at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-037.asp/.