"Moderate" vulnerability is difficult to exploit…
By Robert Lemos
Published: 11 August 2004 09:10 GMT
Microsoft has published a patch for its Exchange 5.5 email and collaboration server software, fixing a flaw graded as "moderate," the second-lowest of four ratings.
The vulnerability revealed in Tuesday's advisory could be exploited to target people using the web email component for Exchange, called Outlook Web Access, Microsoft said. An attacker with an account on a company's Exchange server could create a script that, when run by an OWA user on the same server, would give access to the victim's email boxes and information.
The flaw also allows the malicious programmer to place spoofed content, such as fake graphics and web pages, in the server's cache of web content.
The vulnerability is not easy to exploit, said Stephen Toulouse, a security program manager at Microsoft, citing several preconditions to making an attack work.
"The attacker would have to have an account, and the user would have to allow access," he said.
Last week, Microsoft shipped its largest collection of fixes and new features for its Windows operating system to manufacturers. The software update, dubbed Service Pack 2, improves the firewall, adds a software applet that displays the current security status of a PC and bolsters other aspects of PC security, the company said.
The SP2 security update does not address server issues, such as the latest Exchange flaw. The problem is in a category known as cross-site scripting vulnerabilities, which enable one site with a more lenient security model to be used to bypass another site's more stringent security.
"Cross-site scripting vulnerabilities are always the more complex ones," Toulouse said. "And this one is really complex."
The vulnerability does not affect Microsoft's most recent email software - Exchange 2000 and Exchange 2003 - and will not be a risk if a company using Exchange 5.5 does not have the OWA component installed, Toulouse said.
The Exchange 5.5 patch can be downloaded from Microsoft's website. Sanctum, a Web application security provider, found the flaw, the software maker stated in its advisory.
Robert Lemos writes for CNET News.com
Develop interactive content including interfaces, graphics and web sites.years + PHP or Perl skills Scripting languages including Javascript ...
Candidates must have thorough experience of web application penetration testing which include both knowledge and experience in Man in the Middle ...
You will monitor the systems and database performance and carry out upgrades/patch applications as required. You will be responsible for 1st/2nd line ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Tim Ferguson Exclusive: Former MySQL boss Marten Mickos talks open source Why Microsoft could become one of the "biggest friends of open source" and why Oracle getting its hands on MySQL could be "one of the biggest open source coups ever"...
Naked CIO Naked CIO: Cloud computing more expensive than we thought? Smart IT leaders will examine the impact of how they pay for tech