COMMAND

	messages scripts vulnerability

SYSTEMS AFFECTED

	Exchange 5.5 Server

PROBLEM

	As published in Microsoft Security Bulletin MS01-057, there is a bug  in
	Outlook Web Access, permitting unwanted script execution.
	

	Outlook Web Access (OWA) is  a  service  of  Exchange  5.5  Server  that
	allows users  to  access  and  manipulate  messages  in  their  Exchange
	mailbox by using a web browser.
	

	

	A flaw exists in the way  OWA  handles  inline  script  in  messages  in
	conjunction with  Internet  Explorer  (IE).  If  an  HTML  message  that
	contains specially  formatted  script  is  opened  in  OWA,  the  script
	executes  when  the  message  is  opened.  Because  OWA  requires   that
	scripting be enabled in the zone where the  OWA  server  is  located,  a
	vulnerability results because this script could take any action  against
	the user\'s Exchange mailbox that  the  user  himself  was  capable  of,
	including sending, moving,  or  deleting  messages.  An  attacker  could
	maliciously exploit this flaw by sending a specially crafted message  to
	the user. If the user opened the message in OWA, the script  would  then
	execute.
	

	While it is possible for a script to send a message as the user,  it  is
	impossible for the script to send a message to addresses in the  user\'s
	address book. Thus,  the  flaw  cannot  be  exploited  for  mass-mailing
	attacks. Also, mounting a successful attack requires  knowledge  of  the
	intended victim\'s choice of mail clients and  reading  habits.  If  the
	maliciously crafted message were read in any mail client  other  than  a
	browser through OWA, the attack would fail.

SOLUTION

	Mitigating Factors:
	

	 - A successful attack would require the victim to read the message

	   in a IE using OWA only. The attack would fail if read in any

	   other mail client.

	 - A successful attack would also require knowledge of the version

	   of OWA in use. The attack would fail on other versions of OWA.

	 - A successful attack can only take action on the mailbox on the

	   Exchange Server as the user. It cannot take action on the user\'s

	   local machine. It cannot take actions on any other users mailbox

	   directly. Nor can it take actions directly on the Exchange Server.

	

	Patch Availability:
	 - A patch is available to fix this vulnerability. Please read the=20

	   Security Bulletin at

	   http://www.microsoft.com/technet/security/bulletin/ms01-057.asp

	   for information on obtaining this patch.

	

	Acknowledgment:
	 - Lex Arquette of WhiteHat Security (http://www.whitehatsec.com)