Microsoft security fix blocks access to e-mail

Some administrators of Microsoft's Exchange 2000 Server e-mail systems who installed a security patch posted by the software maker on Wednesday found themselves left with a malfunctioning e-mail gateway.

"After I installed the patch, our Outlook Web Access and POP3 (Post Office Protocol 3) weren't working. Regular Outlook clients locked up," one administrator wrote in an e-mail to IDG News Service. "After troubleshooting and finally giving up, I ... called Microsoft. Guess what? The patch caused all of our problems."

Microsoft on Friday pulled the software fix from its TechNet Web site and replaced the download link with a notice stating that the patch "is temporarily unavailable and will be returned to the Web shortly."

A spokeswoman for Microsoft said the patch was pulled after complaints from customers.

"The Microsoft Security Response Center received reports from customers on Friday morning that there were some technical issues with the patch. The decision was made to pull the patch while investigating the issue. We take integrity of those patches very seriously and are working to get the patch back up," the spokeswoman said. She declined to give details on the technical issues and also declining to specify the number of customer complaints.

Microsoft warned in a security bulletin posted Wednesday that a security flaw exists in the Outlook Web Access module of its Exchange 2000 Server e-mail system. The flaw could allow an unauthorized user to access mailbox contents, according to Microsoft. The apparently faulty security patch was offered by Microsoft to plug the hole.

Outlook Web Access allows users to access their Exchange mailbox via the Web, rather than using the Outlook client software on their own PC. The flaw exists in the interaction between the Web access feature and its Internet Explorer Web browser, Microsoft said Wednesday.

Using malicious code in an e-mail attachment, a hacker could gain access to a user's mailbox and would have the ability to delete messages and folders, Microsoft said. The Outlook Web Access feature of Exchange is activated by default when Exchange 2000 Server is installed.