News

Vulnerability Found in Exchange Server Outlook Web Access

A newly discovered flaw in the Outlook Web Access service of Exchange 5.5 Server could allow a remote attacker to take partial control of the Exchange server. Microsoft released a patch for the vulnerability on Tuesday.

The security bulletin was the only new one posted for Microsoft's monthly "Patch Tuesday" for August. Microsoft did re-release an older security bulletin, MS04-020, for a POSIX flaw that the company has since determined also affects its Interix 2.2 product.

The new Exchange OWA flaw, MS04-026, is rated "moderate." While it can allow access to the server at an OWA user's level of privilege, exploitation requires the attacker to find an OWA user and send him a maliciously crafted e-mail to with a link the user must click through.

Microsoft also warns that it may be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches and put spoofed content in those caches.

Later versions of Outlook Web Access in Exchange 2000 and Exchange 2003 are not affected by the flaw. The flaw also does not affect Exchange 5.5 Servers that are not running Outlook Web Access.

The vulnerability was reported to Microsoft by Amit Klein of Sanctum. Microsoft's bulletin says the company had not received any information indicating that the vulnerability had been publicly disclosed or publicly used to attack customers.

View the new security bulletin at www.microsoft.com/technet/security/bulletin/ms04-026.mspx.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Buys Orions Systems To Enhance Vision AI Capabilities in Dynamics 365

    Microsoft announced on Tuesday that it has acquired Orions Systems with the aim of enhancing Dynamics 365 capabilities, as well as the Microsoft Power Platform.

  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.