Latest security scare comes just one month after launch
Published: 25 November 2003 08:50 GMT
Microsoft is investigating what may be a serious flaw in Exchange Server 2003, only a month after the software's launch as part of Office System 2003.
The bug appears to affect an Exchange component called Outlook Web Access (OWA), which allows users to access their inboxes and folders via a web browser.
Consumers logging into their web-based mailbox sometimes find themselves accessing another user's account, with full privileges, according to Matthew Johnson, a network administrator with a US company that sells tools for investors and fund managers. Johnson reported the bug earlier this month on the NTBugtraq security mailing list.
"This seems to be a major security flaw, and we have had to shut off OWA indefinitely because of the issue," Johnson wrote.
Microsoft has said it is investigating the issue and that the flaw appears to occur only when Kerberos authentication is disabled. Kerberos is the method - developed at the Massachusetts Institute of Technology - that Microsoft uses for authenticating requests for services. For the moment, the company is advising customers to keep Kerberos authentication enabled, as it is by default and may issue a patch or more information when its investigation is complete.
However, Johnson said that Microsoft's initial analysis doesn't seem to be correct, because his company did not alter Exchange Server's default configuration and thus should have been using Kerberos. He initially reported the bug to the software giant two months ago, and said Microsoft is in the process of testing patches.
Microsoft did not respond to requests for additional comment.
Earlier editions of OWA have suffered their share of security problems. In 2001, Microsoft released a patch for the OWA feature in Exchange 5.5 and 2000, but the patch itself notoriously caused many servers to overload and hang and was pulled offline; a second patch also contained a catastrophic bug.
A week and a half ago, Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper concluding that Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail.
Matthew Broersma writes fro ZDNet UK
The successful candidate will require a proven working knowledge of: - Exchange - Server 2003 - Outlook, Outlook Web Access - CCNA, or some ...
Resolve PSTN faults with customers by trouble shooting and logging faults. Make sure all problems of IT / Technical support are resolved promptly ...
You will required to support up to 200 users.candidate must have a minimum of 12 months 1st line support experience, and be extremely familiar with ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business
Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business