BNET UK
silicon.com
ZDNet UK

Home
News
Blogs
Reviews
Videos
Jobs
Resources
Community

Leader
Comment
White Papers
Downloads
Special Reports

Hardware
Software
Communications
Internet
Security
IT Management
Emerging Tech
Leader

Group Blogs
News Blog
Post Room
Rupert's Diary

Hardware Reviews
Software Reviews
Editors' Choice
Buyer's Guides
Tech Guides
Competitions

Dialogue Box
Security threats
Server platforms
Mobile devices
Application development
Full video index

Articles
White Papers
Downloads
Companies
Broadband Speed Test

People
Competitions
Post Room
FAQ

You are here: ZDNet UK > News > Software

Desktop platforms Toolkit

Microsoft fixes Exchange flaw

Tags:
Exchange,
Patch,
Microsoft,
Flaw

Published: 11 Aug 2004 09:40 BST

Microsoft published a patch on Tuesday for its Exchange 5.5 email and collaboration server software, fixing a flaw graded as "moderate," the second-lowest of four ratings.

The vulnerability revealed in Tuesday's advisory could be exploited to target people using the Web email component for Exchange, called Outlook Web Access, Microsoft said. An attacker with an account on a company's Exchange server could create a script that, when run by an OWA user on the same server, would give access to the victim's email boxes and information.

The flaw also allows the malicious programmer to place spoofed content, such as fake graphics and Web pages, in the server's cache of Web content.

The vulnerability is not easy to exploit, said Stephen Toulouse, a security program manager at Microsoft, citing several preconditions to making an attack work.

"The attacker would have to have an account, and the user would have to allow access," he said.

Last week, Microsoft shipped its largest collection of fixes and new features for its Windows operating system to manufacturers. The software update, dubbed Service Pack 2, improves the firewall, adds a software applet that displays the current security status of a PC and bolsters other aspects of PC security, the company said.

The SP2 security update does not address server issues, such as the latest Exchange flaw. The problem is in a category known as cross-site scripting vulnerabilities, which enable one site with a more lenient security model to be used to bypass another site's more stringent security.

"Cross-site scripting vulnerabilities are always the more complex ones," Toulouse said. "And this one is really complex."

The vulnerability does not affect Microsoft's most recent email software -- Exchange 2000 and Exchange 2003 -- and will not be a risk if a company using Exchange 5.5 does not have the OWA component installed, Toulouse said.

The Exchange 5.5 patch can be downloaded from Microsoft's Web site. Sanctum, a Web application security provider, found the flaw, the software maker stated in its advisory.

Did you find this article useful?
53 out of 69 people found this useful

Share this article:
Digg
Slashdot
Del.ici.ous
Stumble
Reddit

Company/Topic Alerts

Create a new alert from the list below:

Microsoft
Patch

Flaw
Exchange

Video

Install Flash Player plugin

Find out more: From The Labs: A look at...

All videos
Most popular videos
Latest videos

Microsoft Windows 7 Special Report Special Report

How Microsoft can make Windows 7 a success

Comment Many businesses have given Vista a wide berth; Microsoft must focus on five areas to make sure Windows 7 doesn't suffer the same fate, argues TechRepublic's Jason Hiner