Microsoft Patches OWA Vulnerability

Microsoft Corp. on Thursday moved to patch a new vulnerability in Exchange 5.5’s Outlook Web Access (OWA) component that could enable an attacker to access and take action against a user’s e-mail.

In a security bulletin that it distributed to members of its security mailing list, Microsoft acknowledged that an attacker could exploit the new OWA vulnerability to read, move, send or even delete a user’s e-mail messages.

The software giant confirmed that the new vulnerability is enabled by means of a flaw in the way in which OWA handles inline script messages when it’s operating in conjunction with Microsoft’s Internet Explorer (IE) Web browser. According to Microsoft, an attacker could format an HTML message so that when it’s opened in OWA and viewed through IE her script would execute automatically. An attacker who successfully perpetrates an attack of this kind could, the software giant allows, “take any action against the user's Exchange mailbox that the user himself was capable of.”

According to Microsoft’s Security Bulletin Rating System, the new OWA vulnerability merits a “moderate” rating for both Internet-facing and intranet-bound systems.

The software giant claims that the potential severity of the new vulnerability is mitigated by a variety of factors. First of all, it notes, the vulnerability can only be exploited in OWA and then only with IE. “Mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits,” the security bulletin stresses.

Secondly, the new vulnerability affects only OWA 5.5, and not the version of OWA that ships with Exchange 2000. Finally, Microsoft maintains that it’s impossible for an attacker to write a script to automatically send messages to each of the e-mail addresses in a user’s personal address book, so the new OWA vulnerability can’t be exploited for mass mailing attacks.

Microsoft released a patch for the vulnerability.

About the Author

Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


  • Microsoft Clarifies Project Cortex's Scope, IT Controls and Product Delivery in Q&A

    Microsoft recently offered a Q&A session on Project Cortex, its emerging "knowledge network" solution for Microsoft 365 users.

  • How To Use .CSV Files with PowerShell, Part 2

    In the second part of this series, Brien shows how to import a .CSV file into a PowerShell array, including two methods for zooming in on just the specific data you need and filtering out the rest.

  • Windows 10 Preview Adds Ability To Display Linux Distro Files

    Microsoft on Wednesday announced Windows 10 preview build 19603, which adds easier access to installed Linux distro files using Windows File Explorer.

  • Microsoft 365 Business To Get Azure Active Directory Premium P1 Perks

    Subscribers to Microsoft 365 Business (which is being renamed this month to "Microsoft 365 Business Premium") will be getting Azure Active Directory Premium P1 licensing at no additional cost.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.