News

New Outlook Web Access Vulnerability Discovered

Microsoft Corp. Thursday night alerted administrators to a new vulnerability in Exchange 5.5’s Outlook Web Access (OWA) component that could enable an attacker to gain unauthorized access to corporate e-mail addresses.

In a security bulletin that it dispatched to members of its security mailing list, Microsoft acknowledged that an attacker could exploit the new OWA vulnerability to obtain otherwise confidential e-mail addresses.

Microsoft said that the vulnerability is actually the result of an authentication problem in an OWA function that interrogates Exchange 5.5’s global address list (GAL). Because this function doesn’t require authentication, Microsoft acknowledged, an attacker could exploit it to enumerate the e-mail addresses of users on a server.

The bulletin stressed that an attacker cannot exploit the OWA vulnerability to read, write or change a user’s e-mail, however. An OWA exploit that Microsoft patched in June affected Exchange 5.5 and Exchange 2000 systems and made it possible for an attacker to take complete control of a user’s mailbox.

According to Microsoft, the new vulnerability simply and only enables an attacker to discover the e-mail addresses of users on an Exchange 5.5 server. Exchange 2000’s OWA implementation is not affected by the vulnerability.

Microsoft released a patch to fix this problem.

Also Thursday night, the CERT Coordination Center issued an advisory concerning a buffer overflow exploit in versions 5.x and 6.x of the Gauntlet firewall from PGP Security. Gauntlet runs on several Unix platforms and is available as an e-appliance from McAfee and PGP Security. McAfee also distributes Gauntlet as part of its WebShield 4.1 product for Solaris.

According to CERT, an attacker could exploit a vulnerability in Gauntlet’s smap/smapd and CSMAP daemons to execute arbitrary code on a server with the respective privileges of the compromised daemon.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.