1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Vulnerability in Exchange 5.5 : Dec 6

Discussion in 'Web & Email' started by eddie5659, Dec 6, 2001.

Thread Status:
Not open for further replies.
  1. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    36,048
    Hiya

    Specially Formed Script in HMTL Mail can Execute in Exchange 5.5 OWA

    Outlook Web Access (OWA) is a service of Exchange 5.5 Server that
    allows users to access and manipulate messages in their Exchange
    mailbox by using a web browser.

    A flaw exists in the way OWA handles inline script in messages in
    conjunction with Internet Explorer (IE). If an HTML message that
    contains specially formatted script is opened in OWA, the script
    executes when the message is opened. Because OWA requires that
    scripting be enabled in the zone where the OWA server is located,
    a vulnerability results because this script could take any action
    against the user's Exchange mailbox that the user himself was
    capable of, including sending, moving, or deleting messages. An
    attacker could maliciously exploit this flaw by sending a
    specially crafted message to the user. If the user opened the
    message in OWA, the script would then execute.

    While it is possible for a script to send a message as the user,
    it is impossible for the script to send a message to addresses in
    the user's address book. Thus, the flaw cannot be exploited for
    mass-mailing attacks. Also, mounting a successful attack requires
    knowledge of the intended victim's choice of mail clients and
    reading habits. If the maliciously crafted message were read in
    any mail client other than a browser through OWA, the attack
    would fail.

    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-057.asp

    Regards

    eddie
     
  2. eddie5659

    eddie5659 Moderator Malware Specialist Thread Starter

    Joined:
    Mar 19, 2001
    Messages:
    36,048
    Hiya

    Bit of an update:

    Reason for Revision:
    ====================
    On December 6, 2001 Microsoft released the original version of this
    bulletin. On December 7, 2001 an issue relating to file dependencies
    for the patch was identified and the bulletin was updated and
    re-released
    to include this information. Specifically, for this patch to function
    properly, the Outlook Web Access (OWA) server on which the patch is
    installed must have Internet Explorer (IE) 5.0 or greater installed.
    If
    the patch is installed on a system with a version of IE older than
    5.0,
    unexpected consequences may result. The "Caveats" section has been
    updated to include version requirements for this patch. In addition,
    it
    contains version recommendations for dependent components that are
    applicable at the time of this writing. In addition, the FAQ contains
    remediation information for customers who have applied this patch
    on systems with versions of IE older than 5.0.


    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-057.asp

    Regards

    eddie
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/60947

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice