Reported June 08, 2001, by Microsoft.

VERSIONS AFFECTED

 

  • Microsoft Exchange 2000 Server using Outlook Web Access

  • Microsoft Exchange 5.5 Server using Outlook Web Access

  • Microsoft Internet Explorer

 

DESCRIPTION
A flaw exists in the interaction between Microsoft Exchange Server Outlook Web Access (OWA) and Microsoft Internet Explorer (IE) with message attachments. If an attachment contains HTML code that includes script, the script will execute when the user opens the attachment, regardless of the attachment type. Because OWA requires that the user enable scripting in the zone where the OWA server is located, this script can take action against the user’s Exchange mailbox as if the script were the user, including modifying and manipulating messages.

 

 

VENDOR RESPONSE

The vendor, Microsoft, has acknowledged this vulnerability and recommends that users immediately apply the patch mentioned in Security Bulletin MS01-030. 

 

CREDIT
Discovered by Joao Gouveia.