Systems Affected: Microsoft Outlook Web Access 2003 and 2007
(Exchange Server 2003 SP2, Exchange Server 2007,
Exchange Server 2007 SP1)
Category: Cross Site Scripting, Cross Site Request Forgery
Author: Context Information Security Ltd
Reported to vendor: 10th January 2008
Advisory Issued: 10th July 2008
At this point the attack would spread as a XSS worm (albeit one requiring the user to view the incoming email). This could potentially affect all users of the OWA application.
Microsoft Exchange Server 2003
Microsoft Exchange Server 2007
Microsoft Exchange Server 2007 SP1
On 9th July 2008, Microsoft issued a security bulletin MS08-039 and an associated patch for Exchange Server 2003 and Exchange Server 2007 SP1
Patches are available from:
Context would recommend that these patches be installed as soon as practical to all Exchange Servers providing OWA functionality.
This issue has been assigned CVE numbers CVE-2008-2247 and CVE-2008-2248.
10 January 2008 - Initial Discovery and vendor notification.
14th January 2008 - Vendor response requesting further details.
14th March 2008 - Vendor response requesting PoC. PoC provided.
9th July 2008 - Vendor advisory release.
10th July 2008 - Context Information Security Ltd advisory release.
Michael Jordon of Context Information Security Ltd
About Context Information Security
Context Information Security Limited is a specialist information security consultancy based in London and Frankfurt. Context promotes the holistic approach to information security and helps clients to identify, assess and control their exposure to risk within the fields of IT, telephony and physical security. Context employs experienced information security professionals who are subject-matter experts in their various technical specialism's. Context works extensively within the finance, legal, defence and government sectors, delivering high-end information security projects to organisations for which security is a priority.