Outlook Web Access Script Execution Vulnerability in Microsoft Exchange

A vulnerability exists in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA) service that lets an attacker take any action on the user’s mailbox that the user can take, including deleting, moving and sending messages.

Ken Pfeil

December 6, 2001

1 Min Read
ITPro Today logo in a gray background | ITPro Today

Reported December 6, 2001, byMicrosoft.

VERSIONS AFFECTED

 

  • Microsoft Exchange Server 5.5 using Outlook Web Access

 

DESCRIPTION
Avulnerability exists in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA)service that lets an attacker take any action on the user’s mailbox that theuser can take, including deleting, moving and sending messages. Thevulnerability results from a problem in the way that OWA handles inline scriptmessages used in conjunction with Internet Explorer (IE). If the attacker usesOWA to open an HTML message containing a specially formed script, the scriptexecutes under the user’s security context.

 

VENDOR RESPONSE

Thevendor, Microsoft, has released SecurityBulletin MS01-057to address this vulnerability and recommends that affected users apply the patchprovided at this URL.

 

CREDIT
Discovered by Lex Arquetteof WhiteHat Security.

Read more about:

Microsoft
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like