Microsoft Patches Outlook Web Access Again
- By Stephen Swoyer
- September 27, 2001
In a reprise of a now familiar scenario, Microsoft Corp. Wednesday night alerted Exchange 2000 administrators to the discovery of another vulnerability in Exchange’s Outlook Web Access (OWA) component that it says could be exploited by an attacker to perpetrate denial-of-service (DoS).
Because of a variety of mitigating factors, however, the software giant claimed that the danger posed by the latest OWA vulnerability is minimal.
In a security bulletin that it distributed to members of its security mailing list, Microsoft confirmed the existence of the vulnerability and recommended that administrators offering OWA in conjunction with Exchange 2000 should apply a patch that it made available to fix the problem.
According to Microsoft, the vulnerability exists because OWA accepts and processes item requests in authenticated users’ mailboxes before it actually checks to make sure that the specified items exist or that the folder structure which encompasses them is valid. “An attacker could mount a denial of service attack by repeatedly levying a request for a non-existent but deeply nested folder in his own mailbox,” the security bulletin acknowledges.
An attack of this kind would have to be perpetrated by an authenticated user in the context of her own mailbox – or by an attacker who gains access to the mailbox of a user on the Exchange server. Microsoft says that such an attack could cause the process which services the targeted mailbox to consume all of the CPU resources of the server on which it was running.
A system returns to normal after it finishes handling the request, but it’s possible that a sophisticated attacker could continuously levy the same, or similar, deeply nested false requests.
Exchange security guidelines call for isolating OWA servers from their back-end Exchange brethren, in which case an attack of this kind would affect only the OWA server and not the Exchange system itself. Many IT organizations have likely deployed Exchange and OWA on the same box with one another and could be at greater risk.
This marks the occurrence of the third OWA-related vulnerability – and the release of the fifth overall OWA patch – that Microsoft has addressed this year.
In early June, the software giant required three attempts to successfully patch a serious OWA vulnerability that, when properly exploited, provided an attacker with complete control over an affected user’s mailbox. In early September, Microsoft patched another OWA vulnerability that could enable an unauthenticated user to enumerate Exchange e-mail addresses.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.