Microsoft Patches Outlook Web Access Again

In a reprise of a now familiar scenario, Microsoft Corp. Wednesday night alerted Exchange 2000 administrators to the discovery of another vulnerability in Exchange’s Outlook Web Access (OWA) component that it says could be exploited by an attacker to perpetrate denial-of-service (DoS).

Because of a variety of mitigating factors, however, the software giant claimed that the danger posed by the latest OWA vulnerability is minimal.

In a security bulletin that it distributed to members of its security mailing list, Microsoft confirmed the existence of the vulnerability and recommended that administrators offering OWA in conjunction with Exchange 2000 should apply a patch that it made available to fix the problem.

According to Microsoft, the vulnerability exists because OWA accepts and processes item requests in authenticated users’ mailboxes before it actually checks to make sure that the specified items exist or that the folder structure which encompasses them is valid. “An attacker could mount a denial of service attack by repeatedly levying a request for a non-existent but deeply nested folder in his own mailbox,” the security bulletin acknowledges.

An attack of this kind would have to be perpetrated by an authenticated user in the context of her own mailbox – or by an attacker who gains access to the mailbox of a user on the Exchange server. Microsoft says that such an attack could cause the process which services the targeted mailbox to consume all of the CPU resources of the server on which it was running.

A system returns to normal after it finishes handling the request, but it’s possible that a sophisticated attacker could continuously levy the same, or similar, deeply nested false requests.

Exchange security guidelines call for isolating OWA servers from their back-end Exchange brethren, in which case an attack of this kind would affect only the OWA server and not the Exchange system itself. Many IT organizations have likely deployed Exchange and OWA on the same box with one another and could be at greater risk.

This marks the occurrence of the third OWA-related vulnerability – and the release of the fifth overall OWA patch – that Microsoft has addressed this year.

In early June, the software giant required three attempts to successfully patch a serious OWA vulnerability that, when properly exploited, provided an attacker with complete control over an affected user’s mailbox. In early September, Microsoft patched another OWA vulnerability that could enable an unauthenticated user to enumerate Exchange e-mail addresses.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Microsoft Drops 'Solorigate' for 'Nobelium' in Ongoing SolarWinds Attack Investigations

    Microsoft this week described "three new pieces" of malware that were used in the SolarWinds Orion espionage attacks dubbed "Solorigate," although Microsoft security researches are now calling it "Nobelium."

  • Microsoft Universal Print Service Commercially Released

    Microsoft announced on Tuesday that its Universal Print service is now commercially released at the "general availability" stage worldwide.

  • Restoring a Backup to Dissimilar Hardware: 3 Things To Watch Out For

    Getting a new desktop looking and feeling like the old one used to take a long time, but modern backup applications have greatly streamlined the process. Still, there are a few things to keep in mind to avoid potential issues.

  • Black Box

    Microsoft Releases Windows Server 2022 Preview

    Microsoft announced during its Ignite event that Window Server 2022 is currently availability at the preview stage.

comments powered by Disqus