Vulnerability in Exchange 5.5 : Dec 6

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

eddie5659

Thread Starter
Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Hiya

Specially Formed Script in HMTL Mail can Execute in Exchange 5.5 OWA

Outlook Web Access (OWA) is a service of Exchange 5.5 Server that
allows users to access and manipulate messages in their Exchange
mailbox by using a web browser.

A flaw exists in the way OWA handles inline script in messages in
conjunction with Internet Explorer (IE). If an HTML message that
contains specially formatted script is opened in OWA, the script
executes when the message is opened. Because OWA requires that
scripting be enabled in the zone where the OWA server is located,
a vulnerability results because this script could take any action
against the user's Exchange mailbox that the user himself was
capable of, including sending, moving, or deleting messages. An
attacker could maliciously exploit this flaw by sending a
specially crafted message to the user. If the user opened the
message in OWA, the script would then execute.

While it is possible for a script to send a message as the user,
it is impossible for the script to send a message to addresses in
the user's address book. Thus, the flaw cannot be exploited for
mass-mailing attacks. Also, mounting a successful attack requires
knowledge of the intended victim's choice of mail clients and
reading habits. If the maliciously crafted message were read in
any mail client other than a browser through OWA, the attack
would fail.

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-057.asp

Regards

eddie
 

eddie5659

Thread Starter
Moderator
Malware Specialist
Joined
Mar 19, 2001
Messages
37,298
Hiya

Bit of an update:

Reason for Revision:
====================
On December 6, 2001 Microsoft released the original version of this
bulletin. On December 7, 2001 an issue relating to file dependencies
for the patch was identified and the bulletin was updated and
re-released
to include this information. Specifically, for this patch to function
properly, the Outlook Web Access (OWA) server on which the patch is
installed must have Internet Explorer (IE) 5.0 or greater installed.
If
the patch is installed on a system with a version of IE older than
5.0,
unexpected consequences may result. The "Caveats" section has been
updated to include version requirements for this patch. In addition,
it
contains version recommendations for dependent components that are
applicable at the time of this writing. In addition, the FAQ contains
remediation information for customers who have applied this patch
on systems with versions of IE older than 5.0.


http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms01-057.asp

Regards

eddie
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top