HTML Script Can Execute in Outlook Web Access New

A security vulnerability exists in Outlook Web Access (OWA) which may allow inline scripts in HTML mail messages to be executed when opened using Internet Explorer.

Issue

Because OWA requires that scripting be enabled in the zone where the OWA server is located, a vulnerability results because this script could take any action against the user's Exchange mailbox that the user himself was capable of, including sending, moving, or deleting messages. An attacker could maliciously exploit this flaw by sending a specially crafted message to the user. If the user opened the message in OWA, the script would then execute.

While it is possible for a script to send a message as the user, it is impossible for the script to send a message to addresses in the user's address book. Thus, the flaw cannot be exploited for mass-mailing attacks. Also, mounting a successful attack requires knowledge of the intended victim's choice of mail clients and reading habits. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail.

Affected Products

• Microsoft Exchange 5.5 Server Outlook Web Access

Download

Patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=34402

Further Details

Source: Microsoft Corporation

Reference: Microsoft Corporation

Updated: December 6, 2001

>> Recommended Download - secure your PC from spyware, adware and malware now with Spyware Doctor <<