Outlook Web Access Script Execution Vulnerability in Microsoft Server 5.5

A vulnerability exists in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA) service that lets an attacker take any action on the user’s mailbox that the user can take, including deleting, moving and sending messages. The way OWA handles inline script message used in conjunction with Internet Explorer (IE) created a loophole for malicious users. The attacker is able to execute scripts that allow the attacker access to the user's mailbox. Prior to the released patch, OWA does not filter out scripts embedded in the message, the patch corrects this problem by stripping the scripts before sending it to IE.

This vulnerability only affects OWA used with IE and such scripts will not work on Outlook client or Outlook Express. Non-IE browsers are also not affected, according to Microsoft.

Lex Arquette of WhiteHat Security is credited for reporting this issue to Microsoft.

For more details, go to Microsoft Security Bulletin MS01-057.

For patches, go to Exchange 5.5 Web Client Hotfix 2655.77