Microsoft Patches OWA Vulnerability

Microsoft Corp. on Thursday moved to patch a new vulnerability in Exchange 5.5’s Outlook Web Access (OWA) component that could enable an attacker to access and take action against a user’s e-mail.

In a security bulletin that it distributed to members of its security mailing list, Microsoft acknowledged that an attacker could exploit the new OWA vulnerability to read, move, send or even delete a user’s e-mail messages.

The software giant confirmed that the new vulnerability is enabled by means of a flaw in the way in which OWA handles inline script messages when it’s operating in conjunction with Microsoft’s Internet Explorer (IE) Web browser. According to Microsoft, an attacker could format an HTML message so that when it’s opened in OWA and viewed through IE her script would execute automatically. An attacker who successfully perpetrates an attack of this kind could, the software giant allows, “take any action against the user's Exchange mailbox that the user himself was capable of.”

According to Microsoft’s Security Bulletin Rating System, the new OWA vulnerability merits a “moderate” rating for both Internet-facing and intranet-bound systems.

The software giant claims that the potential severity of the new vulnerability is mitigated by a variety of factors. First of all, it notes, the vulnerability can only be exploited in OWA and then only with IE. “Mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits,” the security bulletin stresses.

Secondly, the new vulnerability affects only OWA 5.5, and not the version of OWA that ships with Exchange 2000. Finally, Microsoft maintains that it’s impossible for an attacker to write a script to automatically send messages to each of the e-mail addresses in a user’s personal address book, so the new OWA vulnerability can’t be exploited for mass mailing attacks.

Microsoft released a patch for the vulnerability.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Azure Backup for SQL Server Now Commercially Available

    Microsoft on Monday announced that Azure Backup for SQL Server had reached "general availability" status, meaning it's deemed ready for production-environment use.

  • Insights for MyAnalytics Getting Switched On for Office 365 Users This Month

    Microsoft is planning to activate "Insights for MyAnalytics" sometime late this month for most Office 365 users, but the ability of organizations to manage this feature won't be available until possibly mid-May.

  • SharePoint Framework 1.8 Now Generally Available

    Microsoft this week announced that SharePoint Framework 1.8 had reached "general availability" status, although some features are still at the preview stage.

  • How To Create Office 365 User Accounts in Bulk

    Manual account creation can be tedious, time-consuming and prone to human error, especially if you have more than a handful of Office 365 users to set up. Brien shows you a better way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.