Reported December 6, 2001, by Microsoft.

VERSIONS AFFECTED

 

  • Microsoft Exchange Server 5.5 using Outlook Web Access

 

DESCRIPTION
A vulnerability exists in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA) service that lets an attacker take any action on the user’s mailbox that the user can take, including deleting, moving and sending messages. The vulnerability results from a problem in the way that OWA handles inline script messages used in conjunction with Internet Explorer (IE). If the attacker uses OWA to open an HTML message containing a specially formed script, the script executes under the user’s security context.

 

VENDOR RESPONSE

The vendor, Microsoft, has released Security Bulletin MS01-057 to address this vulnerability and recommends that affected users apply the patch provided at this URL.

 

CREDIT
Discovered by Lex Arquette of WhiteHat Security.