ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


IT Jobs

Desktop platforms Toolkit in association with http://ad.doubleclick.net/clk;205413468;14699245;m?http://adfarm.mediaplex.com/ad/ck/2397-58840-22058-14

Microsoft fixes Exchange flaw

Published: 11 Aug 2004 09:40 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft published a patch on Tuesday for its Exchange 5.5 email and collaboration server software, fixing a flaw graded as "moderate," the second-lowest of four ratings.

The vulnerability revealed in Tuesday's advisory could be exploited to target people using the Web email component for Exchange, called Outlook Web Access, Microsoft said. An attacker with an account on a company's Exchange server could create a script that, when run by an OWA user on the same server, would give access to the victim's email boxes and information.

The flaw also allows the malicious programmer to place spoofed content, such as fake graphics and Web pages, in the server's cache of Web content.

The vulnerability is not easy to exploit, said Stephen Toulouse, a security program manager at Microsoft, citing several preconditions to making an attack work.

"The attacker would have to have an account, and the user would have to allow access," he said.

Last week, Microsoft shipped its largest collection of fixes and new features for its Windows operating system to manufacturers. The software update, dubbed Service Pack 2, improves the firewall, adds a software applet that displays the current security status of a PC and bolsters other aspects of PC security, the company said.

The SP2 security update does not address server issues, such as the latest Exchange flaw. The problem is in a category known as cross-site scripting vulnerabilities, which enable one site with a more lenient security model to be used to bypass another site's more stringent security.

"Cross-site scripting vulnerabilities are always the more complex ones," Toulouse said. "And this one is really complex."

The vulnerability does not affect Microsoft's most recent email software -- Exchange 2000 and Exchange 2003 -- and will not be a risk if a company using Exchange 5.5 does not have the OWA component installed, Toulouse said.

The Exchange 5.5 patch can be downloaded from Microsoft's Web site. Sanctum, a Web application security provider, found the flaw, the software maker stated in its advisory.

  • Email
  • Trackback
  • Clip Link
  • Print friendly Print with Dell

Did you find this article useful?
52 out of 68 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Desktop platforms



Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

Application Support - FX - SQL UNIX WINDOWS PERM LONDON

To be considered for the role it is essential that you have strong business knowledge in the Foreign Exchange sector as well as strong Scripting in ...

Operations Support Analyst

As an Operations Support Analyst your main responsibilities will involve: - Providing technical support in relation to the IT Infrastructure and ...

Netapp Pre-Sales Consultant Netapp NFS CFS Windows Unix Exchange SQL

Acting as a Trusted Advisor / Technical Account Manager, liaising with Sales, Account Managers + working directly with the vendors + end users ...

Featured Talkback

So if you upgrade to XP SP3 you can't uninstall Internet Explorer, I'm quite sure I'm having a Deja-vu feeling about MS preventing people from uninstalling Internet Explorer in other Windows products.

By: TheKLF99

Read full story:
Upgraders to XP SP3 warned over IE downgrades

Desktop Management Benchmarking

Test Your Desktop Management Systems

How good are your company's desktop management solutions? How do they compare with those of your peers?

Take two minutes to complete our new Desktop Management and Energy Consumption benchmark, and find out what issues your business needs to focus on.