News

Vulnerability Found in Exchange Server Outlook Web Access

A newly discovered flaw in the Outlook Web Access service of Exchange 5.5 Server could allow a remote attacker to take partial control of the Exchange server. Microsoft released a patch for the vulnerability on Tuesday.

The security bulletin was the only new one posted for Microsoft's monthly "Patch Tuesday" for August. Microsoft did re-release an older security bulletin, MS04-020, for a POSIX flaw that the company has since determined also affects its Interix 2.2 product.

The new Exchange OWA flaw, MS04-026, is rated "moderate." While it can allow access to the server at an OWA user's level of privilege, exploitation requires the attacker to find an OWA user and send him a maliciously crafted e-mail to with a link the user must click through.

Microsoft also warns that it may be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches and put spoofed content in those caches.

Later versions of Outlook Web Access in Exchange 2000 and Exchange 2003 are not affected by the flaw. The flaw also does not affect Exchange 5.5 Servers that are not running Outlook Web Access.

The vulnerability was reported to Microsoft by Amit Klein of Sanctum. Microsoft's bulletin says the company had not received any information indicating that the vulnerability had been publicly disclosed or publicly used to attack customers.

View the new security bulletin at www.microsoft.com/technet/security/bulletin/ms04-026.mspx.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.

  • Report: Security Initiatives Can't Keep Pace with Cloud, AI Boom

    The increasingly fast adoption of hybrid, multicloud, and AI systems is easily outgrowing existing security measures, according to a recent global survey by the Cloud Security Alliance (CSA) and exposure management firm Tenable.