Microsoft Patches Outlook Web Access Again

In a reprise of a now familiar scenario, Microsoft Corp. Wednesday night alerted Exchange 2000 administrators to the discovery of another vulnerability in Exchange’s Outlook Web Access (OWA) component that it says could be exploited by an attacker to perpetrate denial-of-service (DoS).

Because of a variety of mitigating factors, however, the software giant claimed that the danger posed by the latest OWA vulnerability is minimal.

In a security bulletin that it distributed to members of its security mailing list, Microsoft confirmed the existence of the vulnerability and recommended that administrators offering OWA in conjunction with Exchange 2000 should apply a patch that it made available to fix the problem.

According to Microsoft, the vulnerability exists because OWA accepts and processes item requests in authenticated users’ mailboxes before it actually checks to make sure that the specified items exist or that the folder structure which encompasses them is valid. “An attacker could mount a denial of service attack by repeatedly levying a request for a non-existent but deeply nested folder in his own mailbox,” the security bulletin acknowledges.

An attack of this kind would have to be perpetrated by an authenticated user in the context of her own mailbox – or by an attacker who gains access to the mailbox of a user on the Exchange server. Microsoft says that such an attack could cause the process which services the targeted mailbox to consume all of the CPU resources of the server on which it was running.

A system returns to normal after it finishes handling the request, but it’s possible that a sophisticated attacker could continuously levy the same, or similar, deeply nested false requests.

Exchange security guidelines call for isolating OWA servers from their back-end Exchange brethren, in which case an attack of this kind would affect only the OWA server and not the Exchange system itself. Many IT organizations have likely deployed Exchange and OWA on the same box with one another and could be at greater risk.

This marks the occurrence of the third OWA-related vulnerability – and the release of the fifth overall OWA patch – that Microsoft has addressed this year.

In early June, the software giant required three attempts to successfully patch a serious OWA vulnerability that, when properly exploited, provided an attacker with complete control over an affected user’s mailbox. In early September, Microsoft patched another OWA vulnerability that could enable an unauthenticated user to enumerate Exchange e-mail addresses.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks

    This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.

  • Windows 10 Version 1809 Users May Get Visual Studio Crashes

    Microsoft on Friday issued an advisory for Windows 10 version 1809 users about possible Visual Studio crashes.

  • Standardizing the Look of Outlook's Outbound Messages

    Microsoft typically gives users a blank canvas to compose new e-mails in Outlook. In some corporate environments, however, a blank canvas isn't a good thing.

  • Windows 10 'Semiannual Channel Targeted' Goes Away This Spring

    Microsoft plans to slightly alter its Windows servicing lingo and management behavior with its next Windows 10 operating system feature update release, coming this spring.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.