Microsoft has warned that a flaw in the Outlook Web Access module
in its Exchange 5.5 e-mail system could allow unauthorised access
to users' mailboxes.
The problem lies in the way Outlook Web Access handles inline
script in HTML e-mail messages, Microsoft said in a security
bulletin. An attacker can get full control over a mailbox when
their e-mail with embedded malicious code is opened using
Microsoft's Internet Explorer browser or Outlook Web Access.
Although the attacker can delete mailbox contents, move messages
and send messages as if they were the user, it is not possible to
send e-mail to addresses in the user's address book, preventing a
mass-mailing attack, Microsoft said.
Outlook Web Access allows users to access their e-mail through the
Web, rather than using the Outlook client software on their
PC.
Microsoft is having a tough time securing Outlook Web Access. In
June, it took the company three patches to plug a similar hole. The
first and second patches for the hole, which affected both Exchange
2000 Server and Exchange 5.5, left administrators with
dysfunctional e-mail systems.
Microsoft, which gives the vulnerability a "moderate" severity
rating, urges administrators that have deployed Outlook Web Access
to immediately install a patch to fix the flaw. The patch is
available from Microsoft's TechNet Web site.
Microsoft's security bulletin can be viewed at
www.microsoft.com/technet/security/bulletin/MS01-057.asp