Microsoft Patches OWA Vulnerability -- Redmondmag.com

Microsoft Patches OWA Vulnerability

By Stephen Swoyer
12/07/2001

Microsoft Corp. on Thursday moved to patch a new vulnerability in Exchange 5.5’s Outlook Web Access (OWA) component that could enable an attacker to access and take action against a user’s e-mail.

In a security bulletin that it distributed to members of its security mailing list, Microsoft acknowledged that an attacker could exploit the new OWA vulnerability to read, move, send or even delete a user’s e-mail messages.

The software giant confirmed that the new vulnerability is enabled by means of a flaw in the way in which OWA handles inline script messages when it’s operating in conjunction with Microsoft’s Internet Explorer (IE) Web browser. According to Microsoft, an attacker could format an HTML message so that when it’s opened in OWA and viewed through IE her script would execute automatically. An attacker who successfully perpetrates an attack of this kind could, the software giant allows, “take any action against the user's Exchange mailbox that the user himself was capable of.”

According to Microsoft’s Security Bulletin Rating System, the new OWA vulnerability merits a “moderate” rating for both Internet-facing and intranet-bound systems.

The software giant claims that the potential severity of the new vulnerability is mitigated by a variety of factors. First of all, it notes, the vulnerability can only be exploited in OWA and then only with IE. “Mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits,” the security bulletin stresses.

Secondly, the new vulnerability affects only OWA 5.5, and not the version of OWA that ships with Exchange 2000. Finally, Microsoft maintains that it’s impossible for an attacker to write a script to automatically send messages to each of the e-mail addresses in a user’s personal address book, so the new OWA vulnerability can’t be exploited for mass mailing attacks.

Microsoft released a patch for the vulnerability.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.