The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
                    ********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Specially Formed Script in HMTL Mail can Execute in
            Exchange 5.5 OWA
Date: 06 December 2001
Software: Microsoft Exchange 5.5 Server Outlook Web Access
Impact: Run Code of Attacker's Choice
Max Risk: Medium
Bulletin: MS01-057

Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS01-057.asp.
- ----------------------------------------------------------------------

Issue:
======
Outlook Web Access (OWA) is a service of Exchange 5.5 Server that
allows users to access and manipulate messages in their Exchange
mailbox by using a web browser.

A flaw exists in the way OWA handles inline script in messages in
conjunction with Internet Explorer (IE). If an HTML message that
contains specially formatted script is opened in OWA, the script
executes when the message is opened. Because OWA requires that
scripting be enabled in the zone where the OWA server is located,
a vulnerability results because this script could take any action
against the user's Exchange mailbox that the user himself was
capable of, including sending, moving, or deleting messages. An
attacker could maliciously exploit this flaw by sending a
specially crafted message to the user. If the user opened the
message in OWA, the script would then execute.

While it is possible for a script to send a message as the user,
it is impossible for the script to send a message to addresses in
the user's address book. Thus, the flaw cannot be exploited for
mass-mailing attacks. Also, mounting a successful attack requires
knowledge of the intended victim's choice of mail clients and
reading habits. If the maliciously crafted message were read in
any mail client other than a browser through OWA, the attack
would fail.

Mitigating Factors:
====================
 - A successful attack would require the victim to read the message
   in a IE using OWA only. The attack would fail if read in any
   other mail client.
 - A successful attack would also require knowledge of the version
   of OWA in use. The attack would fail on other versions of OWA.
 - A successful attack can only take action on the mailbox on the
   Exchange Server as the user. It cannot take action on the user's
   local machine. It cannot take actions on any other users mailbox
   directly. Nor can it take actions directly on the Exchange Server.

Risk Rating:
============
 - Internet systems: Moderate
 - Intranet systems: Moderate
 - Client systems: None

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletin at
   http://www.microsoft.com/technet/security/bulletin/ms01-057.asp
   for information on obtaining this patch.

Acknowledgment:
===============
 - Lex Arquette of WhiteHat Security (http://www.whitehatsec.com)

- ---------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPA/6iY0ZSRQxA/UrAQGilggAikP7XNxSWstX7sQ67uO5sqSKDhaY/CAz
Zb02lYKG9tztDRZ8uI+mpwYkdDLXvMDL3q7DsZAJO9x0IU0yJZ6/SE2gKaavQkmA
G03QoNwIKekVLbMvzMXq/HQIGooGCAPqBVGh3agD7kDUhs7JMr+t94Rx3gR659t/
jPm7IBlKLHk0PIebRxuqZS7JfnYsTIeFVhNFoMVWd9Dt6bUJQ17RkhDM7yuQI+ca
k5jku2BqD+TVpu7w+gmqvGqr7FB3WismKFeZJ8yjNBBuMkEwhflkccSff3OccB8o
a3/fSbFEaCXVoR05d7MejEdNnOJkeV9I1KsA5V/HVN855iVj+P943A==
=nxkT
-----END PGP SIGNATURE-----

   *******************************************************************
You have received this e-mail bulletin as a result of your registration
to the Microsoft Product Security Notification Service. You may
unsubscribe from this e-mail notification service at any time by sending
an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTANNOUNCE.MICROSOFT.COM
The subject line and message body are not used in processing the request,
and can be anything you like.

To verify the digital signature on this bulletin, please download our PGP
key at http://www.microsoft.com/technet/security/notify.asp.

For more information on the Microsoft Security Notification Service
please visit http://www.microsoft.com/technet/security/notify.asp. For
security-related information about Microsoft products, please visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.

_____________________________________________________________________
** TO UNSUBSCRIBE DO NOT REPLY TO THIS MESSAGE!

** SEND ALL COMMANDS TO: LISTSERVLISTSERV.NTSECURITY.NET
** TO UNSUBSCRIBE, send the command "unsubscribe win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "set win2ksecadvice DIGEST"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]