Latest security scare comes just one month after launch
Published: 25 November 2003 08:50 GMT
Microsoft is investigating what may be a serious flaw in Exchange Server 2003, only a month after the software's launch as part of Office System 2003.
The bug appears to affect an Exchange component called Outlook Web Access (OWA), which allows users to access their inboxes and folders via a web browser.
Consumers logging into their web-based mailbox sometimes find themselves accessing another user's account, with full privileges, according to Matthew Johnson, a network administrator with a US company that sells tools for investors and fund managers. Johnson reported the bug earlier this month on the NTBugtraq security mailing list.
"This seems to be a major security flaw, and we have had to shut off OWA indefinitely because of the issue," Johnson wrote.
Microsoft has said it is investigating the issue and that the flaw appears to occur only when Kerberos authentication is disabled. Kerberos is the method - developed at the Massachusetts Institute of Technology - that Microsoft uses for authenticating requests for services. For the moment, the company is advising customers to keep Kerberos authentication enabled, as it is by default and may issue a patch or more information when its investigation is complete.
However, Johnson said that Microsoft's initial analysis doesn't seem to be correct, because his company did not alter Exchange Server's default configuration and thus should have been using Kerberos. He initially reported the bug to the software giant two months ago, and said Microsoft is in the process of testing patches.
Microsoft did not respond to requests for additional comment.
Earlier editions of OWA have suffered their share of security problems. In 2001, Microsoft released a patch for the OWA feature in Exchange 5.5 and 2000, but the patch itself notoriously caused many servers to overload and hang and was pulled offline; a second patch also contained a catastrophic bug.
A week and a half ago, Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper concluding that Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail.
Matthew Broersma writes fro ZDNet UK
Working knowledge of how applications are distributed across networks (SMS, Linux satellite server, Network security and user authentication Change ...
Analysis of customer requirements; including the running of requirement capture meetings and workshops with the clients.Solution design.Documenting ...
You will be responsible for bug and patch fixing of core products as well as development of new products. (Java, J2SE, Developer, Open Source, Perl, ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy