On its monthly update schedule Microsoft just released fixes for Exchange 2000 and Exchange 2003. The update described by bulletin MS05-021 (see references) closes a vulnerability that could allow remote code execution. An attacker could take complete control of the system, and as explained by the bulletin: "...could then install programs; view, change, or delete data; or create new accounts with full user rights."
The same vulnerability affects the two most recent Exchange releases but is much more serious in case of Exchange 2000. In fact the vulnerability is classified as Critical for Exchange 2000 but only as Moderate for Exchange 2003.
In Exchange 2000 the vulnerability could be exploited by an anonymous attacker. On the other hand in case of Exchange 2003, the attack can only originate from a user authenticated as an Exchange Enterprise Server or Exchange Domain Server security group member. This clearly reduces drastically the attack exposure for Exchange 2003.
The vulnerability is caused by an unchecked buffer in the handling of SMTP extension verbs. Exchange normally uses these for communication between servers to convey routing information. An attacker could in this case issue an SMTP command crafted specifically to exploit this vulnerability.
The update fixes the handling for these SMTP commands. Furthermore it brings Exchange 2000 at par with Exchange 2003 by adding authentication requirements for this type of command.
So far there exists no publicly available "proof of concept" code for this vulnerability. Its existence was only disclosed now that a fix is available. The bulletin gives credit to Mark Dowd and Ben Layer of ISS X-Force for reporting the issue. We should thank these guys for being responsible in the way they handled the information. They certainly saved us some stressful days.
For full details please read the bulletin at the references section. This includes download links to the updates and possible workarounds.
References
Microsoft Security Bulletin MS05-021
ISS X-Force