News

Microsoft Patches OWA Vulnerability

Microsoft Corp. on Thursday moved to patch a new vulnerability in Exchange 5.5’s Outlook Web Access (OWA) component that could enable an attacker to access and take action against a user’s e-mail.

In a security bulletin that it distributed to members of its security mailing list, Microsoft acknowledged that an attacker could exploit the new OWA vulnerability to read, move, send or even delete a user’s e-mail messages.

The software giant confirmed that the new vulnerability is enabled by means of a flaw in the way in which OWA handles inline script messages when it’s operating in conjunction with Microsoft’s Internet Explorer (IE) Web browser. According to Microsoft, an attacker could format an HTML message so that when it’s opened in OWA and viewed through IE her script would execute automatically. An attacker who successfully perpetrates an attack of this kind could, the software giant allows, “take any action against the user's Exchange mailbox that the user himself was capable of.”

According to Microsoft’s Security Bulletin Rating System, the new OWA vulnerability merits a “moderate” rating for both Internet-facing and intranet-bound systems.

The software giant claims that the potential severity of the new vulnerability is mitigated by a variety of factors. First of all, it notes, the vulnerability can only be exploited in OWA and then only with IE. “Mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits,” the security bulletin stresses.

Secondly, the new vulnerability affects only OWA 5.5, and not the version of OWA that ships with Exchange 2000. Finally, Microsoft maintains that it’s impossible for an attacker to write a script to automatically send messages to each of the e-mail addresses in a user’s personal address book, so the new OWA vulnerability can’t be exploited for mass mailing attacks.

Microsoft released a patch for the vulnerability.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.

Featured

  • What Does Office 365 Support for New Surface Hardware Actually Mean?

    Microsoft has spilled a lot of ink touting the ways that its new Surface-branded peripherals will be bring Office 365 features to life.

  • Azure Active Directory ID Protection 'Refresh' Now Available

    Microsoft's enhancements to the Azure Active Directory Identity Protection service are now said to be "generally available" (GA), or ready for commercial use, per a Wednesday announcement.

  • Microsoft Releases Windows 10 Version 1909

    Microsoft on Tuesday announced the release of Windows 10 version 1909, a new operating system product that's also known as the "Windows 10 November 2019 Update."

  • November Microsoft Security Bundle Addresses 75 Vulnerabilities

    Of that number, 13 vulnerabilities are rated "Critical" to patch, while 62 vulnerabilities are deemed "Important."

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.