Microsoft Patches OWA Vulnerability
- By Stephen Swoyer
- December 07, 2001
Microsoft Corp. on Thursday moved to patch a new vulnerability in Exchange 5.5’s Outlook Web Access (OWA) component that could enable an attacker to access and take action against a user’s e-mail.
In a security bulletin that it distributed to members of its security mailing list, Microsoft acknowledged that an attacker could exploit the new OWA vulnerability to read, move, send or even delete a user’s e-mail messages.
The software giant confirmed that the new vulnerability is enabled by means of a flaw in the way in which OWA handles inline script messages when it’s operating in conjunction with Microsoft’s Internet Explorer (IE) Web browser. According to Microsoft, an attacker could format an HTML message so that when it’s opened in OWA and viewed through IE her script would execute automatically. An attacker who successfully perpetrates an attack of this kind could, the software giant allows, “take any action against the user's Exchange mailbox that the user himself was capable of.”
According to Microsoft’s Security Bulletin Rating System, the new OWA vulnerability merits a “moderate” rating for both Internet-facing and intranet-bound systems.
The software giant claims that the potential severity of the new vulnerability is mitigated by a variety of factors. First of all, it notes, the vulnerability can only be exploited in OWA and then only with IE. “Mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits,” the security bulletin stresses.
Secondly, the new vulnerability affects only OWA 5.5, and not the version of OWA that ships with Exchange 2000. Finally, Microsoft maintains that it’s impossible for an attacker to write a script to automatically send messages to each of the e-mail addresses in a user’s personal address book, so the new OWA vulnerability can’t be exploited for mass mailing attacks.
Microsoft released a patch for the vulnerability.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.