__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

         Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability
                     [Microsoft Security Bulletin MS03-047]

October 16, 2003 14:00 GMT                                        Number O-010
[REVISED 17 Oct 2003]
______________________________________________________________________________
PROBLEM:       A cross-site scripting (XSS) vulnerability has been identified 
               due to the way that Outlook Web Access (OWA) performs HTML 
               encoding in the Compose New Message form. 
SOFTWARE:      Microsoft Exchange Server 5.5, Service Pack 4 
DAMAGE:        An attacker could cause arbitrary code to run during another 
               user's Web session. The code could take any action on the 
               user's computer that the Web site is authorized to take; this 
               could include monitoring the Web session and forwarding 
               information to a third party, running other code on the user's 
               system and reading or writing cookies. The code could be 
               written to be persistent, so that if the user returned to the 
               Web site again, the code would run again. 
SOLUTION:      Apply appropriate patches or implement workarounds. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. This vulnerability cannot be "injected" 
ASSESSMENT:    into a Web session; it can only be exploited if the user clicks 
               a hyperlink that an attacker provides. An attacker would have 
               to know the name of a user's Exchange server and then entice 
               the user to open a specially-formed link from some other source 
               while the user is logged on to OWA. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-010.shtml 
 ORIGINAL BULLETIN:                                                           
                     http://www.microsoft.com/technet/treeview/default.asp?url=
                     /technet/security/bulletin/MS03-047.asp 
 CVE/CAN:            http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CAN-2003-0712 
 ADDITIONAL LINKS:   CERT Advisory CA-2003-27
                     http://www.cert.org/advisories/CA-2003-27.html
______________________________________________________________________________
REVISION HISTORY:
10/17/03 - added link to CERT Advisory CA-2003-27.


[***** Start Microsoft Security Bulletin MS03-047 *****]

Microsoft Security Bulletin MS03-047   

Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site 
Scripting Attack (828489)
Issued: October 15, 2003
Version Number: 1.0 

Summary

Who Should Read This Document:  System administrators who have servers running 
Microsoft® Exchange Server 5.5 Outlook® Web Access

Impact of Vulnerability:  Remote Code Execution

Maximum Severity Rating:  Moderate

Recommendation:  System administrators should install this security patch on their 
servers running Outlook Web Access 5.5

Patch Replacement:  None

Caveats:  Customers who have customized any of the ASP pages in the File Information 
section in this document should backup those files before applying this patch as they 
will be overwritten when the patch is applied. Any customizations would then need to 
be reapplied to the new ASP pages.

Tested Software and Patch Download Locations: 

Affected Software: 
* Microsoft Exchange Server 5.5, Service Pack 4 - Download the patch 
Non Affected Software: 
* Microsoft Exchange 2000 Server 
* Microsoft Exchange Server 2003 

The software listed above has been tested to determine if the above versions are 
affected. Other versions are no longer supported, and may or may not be affected. 


Technical Details

Technical Description:

A cross-site scripting (XSS) vulnerability results due to the way that Outlook Web 
Access (OWA) performs HTML encoding in the Compose New Message form. 

An attacker could seek to exploit this vulnerability by having a user run script on 
the attacker's behalf. The script would execute in the security context of the user. 
If the script executes in the security context of the user, the attacker's code could 
then execute by using the security settings of the OWA Web site (or of a Web site 
that is hosted on the same server as the OWA Web site) and could enable the attacker 
to access any data belonging to the site where the user has access.

To exploit this vulnerability through OWA, an attacker would have to send an e-mail 
message that has a specially-formed link to the user. The user would then have to 
click the link. To exploit this vulnerability in another way, an attacker would have 
to know the name of the user's Exchange server and then entice the user to open a 
specially-formed link from another source while the user is logged on to OWA.

Note: Customers who have customized any of the ASP pages in the File Information 
section in this document should backup those files before applying this patch as 
they will be overwritten when the patch is applied. Any customizations would then 
need to be reapplied to the new ASP pages. Please refer to the Microsoft Support 
Policy for the Customization of Outlook Web Access available at 
http://support.microsoft.com/default.aspx?scid=kb;en-us;327178 

Mitigating factors: 

* To be affected, the user would have to be logged onto OWA, be enticed to log on to 
  OWA, or use another Web application on the same server as OWA. Generally, a server 
  that runs Exchange Server 5.5 Outlook Web Access does not run other Web applications 
  for reasons of performance, scalability, and security. 

* To exploit this vulnerability through OWA, an attacker would have to send an e-mail 
  message that has a specially-formed link to a user. The user would then have to click 
  the link. 
  
* In the Web-based attack vector, an attacker would have to know the name of a user's 
  Exchange server and then entice the user to open a specially-formed link from some 
  other source while the user is logged on to OWA. 

  
Severity Rating:
*******************************************************
Exchange Server 5.5 Outlook Web Access     Moderate 
*******************************************************

The above assessment is based on the types of systems affected by the vulnerability, 
their typical deployment patterns, and the effect that exploiting the vulnerability 
would have on them. 

Vulnerability identifier: CAN-2003-0712 


Workarounds

Microsoft has tested the following workarounds. These workarounds will not correct the 
underlying vulnerability however they help block known attack vectors. Workarounds may 
cause a reduction in functionality in some cases – in such situations this is identified 
below.

* Disable Outlook Web Access for each Exchange site 
  Outlook Web Access can be disabled by following these steps. These steps need to be 
  performed on each Exchange site.

  1.  Start Exchange Administrator 
  2.  Expand the Configuration container for the site. 
  3.  Select the Protocols container for the site. 
  4.  Open the properties of the HTTP (Web) Site Settings object 
  5.  Clear the "Enable Protocol" checkbox. 
  6.  Wait for the change to replicate, and then verify that this change has replicated 
      to each server in the site. To do this, bind to each server in the site with Exchange 
      Administrator and view the setting. 
  
  Impact of Workaround: Users will have no access to their mailboxes via Outlook Web Access. 
* Uninstall Outlook Web Access. 
  Uninstall Outlook Web Access. For steps on how to do this please refer to the Knowledge 
  Base Article "How to Completely Remove and Re-Install OWA" available at http://support.
  microsoft.com/default.aspx?scid=kb;en-us;290287

  Impact of Workaround: Users will have no access to their mailboxes via Outlook Web Access.

  For additional information about how to help make your Exchange environment more secure, 
  visit the Security Resources for Exchange 5.5 Web site. 


Security Patch Information

For information about the specific security patch for your platform, click the appropriate 
link: 

* Exchange Server 5.5 SP4


Acknowledgments

Microsoft thanks the following for working with us to protect customers: 

* Ory Segal of Sanctum Inc. for reporting the issue described in MS03-047. 

Obtaining other security patches:

Patches for other security issues are available from the following locations: 

* Security patches are available from the Microsoft Download Center, and can be most 
  easily found by doing a keyword search for "security_patch". 
* Patches for consumer platforms are available from the WindowsUpdate web site 

Support: 

* Technical support is available from Microsoft Product Support Services at 
1-866-PCSAFETY. There is no charge for support calls associated with security patches. 

Security Resources: 

* The Microsoft TechNet Security Web Site provides additional information about security 
  in Microsoft products. 
* Microsoft Software Update Services: http://www.microsoft.com/sus/ 
* Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. 
  Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of 
  security patches that have detection limitations with MBSA tool. 
* Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 
* Windows Update: http://windowsupdate.microsoft.com 
* Office Update: http://office.microsoft.com/officeupdate/ 


Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without 
warranty of any kind. Microsoft disclaims all warranties, either express or implied, 
including the warranties of merchantability and fitness for a particular purpose. In no 
event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits or special 
damages, even if Microsoft Corporation or its suppliers have been advised of the possibility 
of such damages. Some states do not allow the exclusion or limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. 


Revisions:

* V1.0 (October 15, 2003): Bulletin published.

[***** End Microsoft Security Bulletin MS03-047 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Microsoft for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-159: OpenSSL Security Advisory vulnerabilities in ASN.1 parsing
O-001: Sun aspppls(1M) does not create the temporary file /tmp/.asppp.fifo safely
O-002: Microsoft Internet Explorer Cumulative Patch
O-003: HP Potential Security Vulnerability in dtprintinfo
O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution
O-005: Microsoft Exchange Server Vulnerabilities
O-006: Microsoft Authenticode Verification Vulnerability
O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability
O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability
O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities