You are here: silicon.com > Software > Malware

Malware

Microsoft patches Exchange security flaw

"Moderate" vulnerability is difficult to exploit…

Printer Friendly Email Story RSS

By Robert Lemos

Published: 11 August 2004 09:10 BST

Microsoft has published a patch for its Exchange 5.5 email and collaboration server software, fixing a flaw graded as "moderate," the second-lowest of four ratings.

The vulnerability revealed in Tuesday's advisory could be exploited to target people using the web email component for Exchange, called Outlook Web Access, Microsoft said. An attacker with an account on a company's Exchange server could create a script that, when run by an OWA user on the same server, would give access to the victim's email boxes and information.

The flaw also allows the malicious programmer to place spoofed content, such as fake graphics and web pages, in the server's cache of web content.

The vulnerability is not easy to exploit, said Stephen Toulouse, a security program manager at Microsoft, citing several preconditions to making an attack work.

"The attacker would have to have an account, and the user would have to allow access," he said.

Last week, Microsoft shipped its largest collection of fixes and new features for its Windows operating system to manufacturers. The software update, dubbed Service Pack 2, improves the firewall, adds a software applet that displays the current security status of a PC and bolsters other aspects of PC security, the company said.

The SP2 security update does not address server issues, such as the latest Exchange flaw. The problem is in a category known as cross-site scripting vulnerabilities, which enable one site with a more lenient security model to be used to bypass another site's more stringent security.

"Cross-site scripting vulnerabilities are always the more complex ones," Toulouse said. "And this one is really complex."

The vulnerability does not affect Microsoft's most recent email software - Exchange 2000 and Exchange 2003 - and will not be a risk if a company using Exchange 5.5 does not have the OWA component installed, Toulouse said.

The Exchange 5.5 patch can be downloaded from Microsoft's website. Sanctum, a Web application security provider, found the flaw, the software maker stated in its advisory.

Robert Lemos writes for CNET News.com

Add Comment Add comment  Printer Friendly Print story with   Email Story Email story  
In
Applications

Operating Systems

SOA/Web Services

Malware

Security Strategy


Related Links

Security flaws will be patched, pledges Oracle

Microsoft patches three "critical" IE security holes

Firms patching internet security holes faster

Home Office to give early warning on security holes

Microsoft issues largest patch batch to date

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

Peter Cochrane Peter Cochrane's Blog: Is convergence a fiction? Or could it finally be happening…

Clive Longbottom Quocirca's Straight Talking: A game of two halves Microsoft Virtualisation scores while its SOA bores...

How the good guys fight the security arms race

UK banks targeted by phishing attacks

Mobile malware: The threat exists

silicon.com Classics: 'Nigerian' money scam - What happens when you reply?

First iPhone Trojan reported

Cyber spies plan attacks next year


  • Jobs
SQL Server DBA. DW, Data warehousing, ETL, SQL Scripts. Manchester

Data Warehousing (DW), ETL, SQL Scripting, as well as some development tools such as T-SQL & Stored Procedures. Expense account, car allowance and ...

Oracle DBA- Linux/ Unix/ Sun Solaris opportunity- London 35k

Patch Management, Systems Tuning, Systems Hardening (security), Backup/Recovery, Shell Scripting, Hardware Setup/Configuration, Production ...

Environment Engineer

Other activities would include booking and scheduling rig usage, ensuring all Government Furnished Equipment remains traceable and ensuring currency ...

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.

Law firm gets SaaSy with email security

Taylor Woodrow heads for the cloud

College classrooms go high-tech

Customer Perspective: Tata Telecom

eVerge Takes on the Competition With PeopleSoft ESA for Professional Services

Microsoft Dynamics GP Demo

MSDN Webcast: Demystifying Office Business Applications for the Developer (Level...

Stories from the web...


Peter Cochrane's Video Blog: For whom the bell tolls

60-Second Pitch: FMC

Peter Cochrane's Video Blog: Power outrage


The £500k hunt for missing HMRC discs

Beeb appoints new iPlayer chief

Indian outsource giants feeling the pinch

Has Barclays stamped out fraud with PINsentry?

Number of free ATMs to increase by a third




Quick Sitemap Links: