News

Vulnerability Found in Exchange Server Outlook Web Access

A newly discovered flaw in the Outlook Web Access service of Exchange 5.5 Server could allow a remote attacker to take partial control of the Exchange server. Microsoft released a patch for the vulnerability on Tuesday.

The security bulletin was the only new one posted for Microsoft's monthly "Patch Tuesday" for August. Microsoft did re-release an older security bulletin, MS04-020, for a POSIX flaw that the company has since determined also affects its Interix 2.2 product.

The new Exchange OWA flaw, MS04-026, is rated "moderate." While it can allow access to the server at an OWA user's level of privilege, exploitation requires the attacker to find an OWA user and send him a maliciously crafted e-mail to with a link the user must click through.

Microsoft also warns that it may be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches and put spoofed content in those caches.

Later versions of Outlook Web Access in Exchange 2000 and Exchange 2003 are not affected by the flaw. The flaw also does not affect Exchange 5.5 Servers that are not running Outlook Web Access.

The vulnerability was reported to Microsoft by Amit Klein of Sanctum. Microsoft's bulletin says the company had not received any information indicating that the vulnerability had been publicly disclosed or publicly used to attack customers.

View the new security bulletin at www.microsoft.com/technet/security/bulletin/ms04-026.mspx.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

  • Microsoft Previews Microsoft Teams for Linux

    Microsoft on Tuesday announced a "limited preview" release of Microsoft Teams for certain Linux desktop operating systems.

  • Hyper-V Architecture: Some Clarifications

    Brien answers two thought-provoking reader questions. First, do Hyper-V VMs have direct hardware access? And second, how is it possible to monitor VM resource consumption from the host operating system?

  • Old Stone Wall Graphic

    Microsoft Addressing 36 Vulnerabilities in December Security Patch Release

    Microsoft on Tuesday delivered its December bundle of security patches, which affect Windows, Internet Explorer, Office, Skype for Business, SQL Server and Visual Studio.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.