Unpatched antivirus leaves Exchange servers vulnerable

A bug in Network Associates software is being actively exploited by attackers, despite the availability of a patch months ago

In the digital equivalent of an autoimmune disease, Microsoft Exchange servers at a handful of companies have crashed because of a flaw in the Network Associates antivirus software that's designed to protect them.

Network Associates confirmed on Thursday that in the past two days, four customers have been affected by a problem in its McAfee GroupShield 5.2 antivirus software for Exchange 2000 servers. A fifth company discovered the issue, but didn't suffer a crash, the security software maker said.

A patch for the flaw was issued to clients in January, said Network Associates, but apparently, several corporations have yet to apply the fix. The vulnerability causes the GroupShield software to crash - corrupting the Exchange message store - when an email message with certain characteristics is received by Exchange servers.

"Customers that haven't applied the patch will want to schedule some immediate downtime to do the administration," said a technician familiar with the problem. Companies that don't apply the patch could be looking at an extensive email outage. "We are talking hours of restore time, in a best-case scenario," he said.

Vincent Gullotto, vice president for Network Associates' antivirus emergency response team, said he wasn't sure why the months-old issue had suddenly turned critical.

"We are thinking that someone may have found the problem (and sent emails to take advantage of it)," Gullotto said. "Or someone decided this week to send out a spam that had" properties that triggered the flaw.

Network Associates sent out another advisory on Thursday to warn customers of the issue and urge that they apply Hotfix 2 for the GroupShield application.

Originally, the affected companies assumed that the Exchange server problem had been caused by Microsoft software. But Microsoft's support teams assessed that the problem originated with McAfee GroupShield. By Thursday, Network Associates had determined that software left unpatched by its clients had caused the issue.

It's not known how many customers the flaw affects. Frequently, companies will not immediately apply a patch, either because they need to test the update or because they can't afford to have a resource as critical as email out of action while they apply the fix.

In addition, companies constantly worry that the latest update for critical software could break other applications that rely on it. Two years ago, Microsoft had to release a patch for Exchange three times before the software giant got it right. And last December, a bug in a just-released version of the Linux kernel could have caused data loss in systems that had seen a core operating-system update during a certain two-week period.

News.com's Michael Kanellos contributed to this report.