How timely of Microsoft to release a security vulnerability bulletin for Exchange Server on the same day my Exchange column ran! Microsoft's announcement last week about a security hole in Exchange (specifically Outlook Web Access—OWA) along with last week's Exchange UPDATE (see the URL at the end of this column) might have started you thinking about Exchange security. So what's the OWA vulnerability and should administrators and users be alarmed?
First, if you don't use OWA with Exchange 5.5 or Exchange 2000, you have nothing to worry about. The security vulnerability that Microsoft announced late last week affects only Internet Explorer (IE) users who access their mailboxes via OWA. The problem exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code that includes script, the script could execute when someone opens the attachment, regardless of the attachment type.
The vulnerability can let someone attach an HTML file that contains script code that can attack the user's mailbox by deleting or sending messages or manipulating the mailbox maliciously. Keep in mind, however, that this vulnerability is no different from other virus attacks that we've experienced in the past—it's just targeted at OWA instead of the Outlook client. The success of such an attack depends on the gullibility of your users. The same best practices apply for avoiding infection. Train your users not to open attachments from unknown or untrusted sources. Take steps to educate and inform users about the problem and remind them that they should always practice good judgment when opening attachments—regardless of the client they use to access Exchange.
You can find more information about this security vulnerability (including the patch that addresses it) on the Microsoft TechNet site. Microsoft also released article Q299535, which provides additional information. Be careful as you update your Exchange servers with the Microsoft patch. The initial release that Microsoft posted June 6 was a little premature, and Microsoft posted another version on June 8. Make sure you apply the latest version to your servers. The correct version is located here.