Vulnerability Found in Exchange Server Outlook Web Access
- By Scott Bekker
- August 10, 2004
A newly discovered flaw in the Outlook Web Access service of Exchange 5.5 Server could allow a remote attacker to take partial control of the Exchange server. Microsoft released a patch for the vulnerability on Tuesday.
The security bulletin was the only new one posted for Microsoft's monthly "Patch Tuesday" for August. Microsoft did re-release an older security bulletin, MS04-020, for a POSIX flaw that the company has since determined also affects its Interix 2.2 product.
The new Exchange OWA flaw, MS04-026, is rated "moderate." While it can allow access to the server at an OWA user's level of privilege, exploitation requires the attacker to find an OWA user and send him a maliciously crafted e-mail to with a link the user must click through.
Microsoft also warns that it may be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches and put spoofed content in those caches.
Later versions of Outlook Web Access in Exchange 2000 and Exchange 2003 are not affected by the flaw. The flaw also does not affect Exchange 5.5 Servers that are not running Outlook Web Access.
The vulnerability was reported to Microsoft by Amit Klein of Sanctum. Microsoft's bulletin says the company had not received any information indicating that the vulnerability had been publicly disclosed or publicly used to attack customers.
View the new security bulletin at www.microsoft.com/technet/security/bulletin/ms04-026.mspx.
Scott Bekker is editor in chief of Redmond Channel Partner magazine.