News

Vulnerability Found in Exchange Server Outlook Web Access

A newly discovered flaw in the Outlook Web Access service of Exchange 5.5 Server could allow a remote attacker to take partial control of the Exchange server. Microsoft released a patch for the vulnerability on Tuesday.

The security bulletin was the only new one posted for Microsoft's monthly "Patch Tuesday" for August. Microsoft did re-release an older security bulletin, MS04-020, for a POSIX flaw that the company has since determined also affects its Interix 2.2 product.

The new Exchange OWA flaw, MS04-026, is rated "moderate." While it can allow access to the server at an OWA user's level of privilege, exploitation requires the attacker to find an OWA user and send him a maliciously crafted e-mail to with a link the user must click through.

Microsoft also warns that it may be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches and put spoofed content in those caches.

Later versions of Outlook Web Access in Exchange 2000 and Exchange 2003 are not affected by the flaw. The flaw also does not affect Exchange 5.5 Servers that are not running Outlook Web Access.

The vulnerability was reported to Microsoft by Amit Klein of Sanctum. Microsoft's bulletin says the company had not received any information indicating that the vulnerability had been publicly disclosed or publicly used to attack customers.

View the new security bulletin at www.microsoft.com/technet/security/bulletin/ms04-026.mspx.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Attackers Using Excel Read-Only Files To Obscure Malware

    Attackers can attempt to hide malicious payloads in Excel files sent by e-mail by using a standard Excel feature, according to a Tuesday post by Mimecast researchers.

  • Microsoft 365 Personal and Family Product Unveiled

    Microsoft on Monday announced new "Microsoft 365 Personal and Family subscriptions" to come next month, a new single consumer product providing access to applications such as Excel, PowerPoint and Word.

  • Microsoft Shifting Away from Office 365 Brand Name in April

    Microsoft on Monday announced coming product naming changes, where "Office 365" is mostly getting replaced by the "Microsoft 365" brand.

  • Microsoft Grows Services Amid COVID-19

    Microsoft in a Saturday announcement recapped how its services have been affected by "shelter-in-place" governmental mandates in the last week, providing details on growth stats and prioritizations.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.