A patch for the Outlook Web Access module of Microsoft's Exchange
5.5 Server can render the Web-based e-mail system useless, IT
administrators have complained, prompting Microsoft to update and
re-release its security bulletin.
If the Outlook Web Access server that the patch is applied to does
not have Internet Explorer version 5.0 or later installed, file
dependency issues can cause "unexpected consequences", Microsoft
said.
Installing the patch on servers with an older version of IE had
various results, according to postings in a forum for Exchange
administrators on Microsoft's TechNet Web site. There are reports
of disabled systems that only show message headers, not the body,
as well as general installation problems.
Exchange administrators could have to get used to dealing with
several versions of security bulletins and patches before their
system is patched and running again. Earlier this year it took
Microsoft three patches to plug a similar Outlook Web Access hole
in Exchange 2000. Exchange 5.5 was also affected, but that patch
worked on the first go.
The original bulletin did not list any caveats. The updated
bulletin lists the IE version requirement and recommends users
upgrade to IE 5.5 with Service Pack 2 (SP2) or IE 6.0. Hotfix
support is only available for these latest versions of IE,
Microsoft said.
The patch is to fix a flaw in the way Outlook Web Access handles
inline script in HTML e-mail messages. An attacker can hijack a
user's mailbox when his message with malicious code is opened using
IE and Outlook Web Access, according to Microsoft.