You are here: silicon.com > Software > Malware

Malware

Microsoft patches Exchange security flaw

"Moderate" vulnerability is difficult to exploit…

Printer Friendly Email Story RSS

By Robert Lemos

Published: 11 August 2004 09:10 GMT

Microsoft has published a patch for its Exchange 5.5 email and collaboration server software, fixing a flaw graded as "moderate," the second-lowest of four ratings.

The vulnerability revealed in Tuesday's advisory could be exploited to target people using the web email component for Exchange, called Outlook Web Access, Microsoft said. An attacker with an account on a company's Exchange server could create a script that, when run by an OWA user on the same server, would give access to the victim's email boxes and information.

The flaw also allows the malicious programmer to place spoofed content, such as fake graphics and web pages, in the server's cache of web content.

The vulnerability is not easy to exploit, said Stephen Toulouse, a security program manager at Microsoft, citing several preconditions to making an attack work.

"The attacker would have to have an account, and the user would have to allow access," he said.

Last week, Microsoft shipped its largest collection of fixes and new features for its Windows operating system to manufacturers. The software update, dubbed Service Pack 2, improves the firewall, adds a software applet that displays the current security status of a PC and bolsters other aspects of PC security, the company said.

The SP2 security update does not address server issues, such as the latest Exchange flaw. The problem is in a category known as cross-site scripting vulnerabilities, which enable one site with a more lenient security model to be used to bypass another site's more stringent security.

"Cross-site scripting vulnerabilities are always the more complex ones," Toulouse said. "And this one is really complex."

The vulnerability does not affect Microsoft's most recent email software - Exchange 2000 and Exchange 2003 - and will not be a risk if a company using Exchange 5.5 does not have the OWA component installed, Toulouse said.

The Exchange 5.5 patch can be downloaded from Microsoft's website. Sanctum, a Web application security provider, found the flaw, the software maker stated in its advisory.

Robert Lemos writes for CNET News.com

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Related Links

Security flaws will be patched, pledges Oracle

Microsoft patches three "critical" IE security holes

Firms patching internet security holes faster

Home Office to give early warning on security holes

Microsoft issues largest patch batch to date

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead

Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy

Phishers set their sights on corporate accounts

Tax-refund phishing scams hit an all-time high

First critical Windows 7 patches released

Online fraudsters enlist Trojans to run off with your money

Microsoft files lawsuits in malicious-ad crackdown


  • Jobs
Internal Sales (ISE)- Electronic Component Sales

You will be a pro-active decision maker responding to changing customer needs, trends in the market and pricing combined with the ability to be able ...

Technical Solutions Manager - Electronic Component Distribution

Technical Solutions Manager - Electronic Component Distribution Outstanding Opportunity to join a Global Franchised Distributor of Electronic ...

European Military Component Sales

The European Military Component Sales role will be responsible for increasing sales of the company's range of electromechanical components within the ...

Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.

Is Your Enterprise Architected for Tomorrow's Growth?

Improving IT service delivery through an integrated approach to software asset management...

TechRepublic Resource Guide: Software as a Service (SaaS) for Small and Midsize Businesses...

Top 10 DMVs for Easier SQL Server Monitoring

Martin Brokers cashes in on back-up swap

VocaLink makes virtualisation pay

Sony Pictures sets sights on best IT Oscar

Co-op Group kicks "server sprawl" into touch

Arts Council gets tech troubleshooting boost

Torex tech treats Thorntons to quicker sales

Stories from the web...


eBay's Skype sale gets green light

Join the silicon.com LinkedIn networking group

Windows 7: Over 200 per cent more popular than Vista

Bletchley Park's World War Two codebreakers in their own words

Europe: Brace yourself for a telecoms overhaul

BT offers free fibre to Glasgow businesses




Quick Sitemap Links: