Information Disclosure Vulnerability in Microsoft Exchange Server 2003 OWA

Reported January 13, 2004, by Microsoft.

VERSIONS AFFECTED

·        Microsoft Exchange Server 2003

DESCRIPTION

·        A vulnerability in Microsoft Exchange Server 2003 can result in the random disclosure of a user's mailbox contents. A user accessing his or her mailbox through an Exchange 2003 front-end server and Microsoft Outlook Web Access (OWA) might unintentionally connect to another user's mailbox if that other mailbox is hosted on the same back-end mailbox server and if that mailbox's owner has recently accessed it. This vulnerability stems from a flaw in the way Exchange 2003 reuses HTTP connections when NTLM authentication is in place between front-end Exchange 2003 servers providing OWA access and back-end Exchange 2003 servers running Windows Server 2003.

VENDOR RESPONSE

Microsoft has released security bulletinMS04-002, "Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)," to address this vulnerability and recommends that affected users immediately apply the appropriate patch listed in the bulletin.

CREDIT

Discovered by Microsoft.