[ISN] Security hole found in Exchange 2000

From: InfoSec News (isnat_private)
Date: Fri Jun 08 2001 - 00:52:55 PDT

  • Next message: InfoSec News: "[ISN] Bulgarian Bugmeister Turns His Gaze To Sun"

    By Robert Lemos
    Special to CNET News.com 
    June 7, 2001, 12:00 p.m. PT 
    Microsoft revealed a security hole in its Exchange 2000 mail server
    Wednesday that could allow an attacker to target corporate employees
    with programs that delete their mail.
    The flaw affects only companies that use a program included by
    Microsoft in its Exchange mail server package. Known as Outlook Web
    Access, the program allows companies to offer e-mail access to
    employees via a Web browser.
    According to the software giant, Outlook Web Access and the Internet
    Explorer browser don't play well together. Because the two programs
    aren't entirely on the same page, an e-mail attachment that appears to
    be a text file could contain a script that, when opened with Internet
    Explorer, would be able to modify a person's in-box and other mail
    "It's not something that is going to reformat your hard drive," said
    Christopher Budd, program manager with Microsoft's security response
    center. "The script can only do what the browser will allow it to do;
    you cannot write files to the machine through the browser."
    A malicious program could, however, add, delete and modify the data
    and messages in a person's in-box, according to the Microsoft
    To exploit the flaw, an attacker would have to create a special text
    attachment that includes HTML code and scripts. While the attachment
    would appear to be a text file to the recipient, once opened, the
    script would automatically execute without notification.
    Under Outlook and other mail clients, an HTML file would either be
    identified as such--with an icon that looks like an HTML page--or be
    considered a text file and not executed. The Outlook Web Access flaw
    makes the file appear as text but executes it as if it were HTML.
    Worse, while Windows normally warns a user when a script runs, in this
    case, it does not.
    The good news, said Microsoft's Budd, is that--because the
    vulnerability affects only Web mail users and not those using Outlook
    or Outlook Express--anyone exploiting the flaw will not have much
    "This is really dependent on someone reading the attachment" via a Web
    browser, he said. "If I sent a virus out to a million people, only a
    small percentage would be affected."
    Furthermore, the flaw does not allow a malicious program to
    automatically send e-mail, a tactic common among the mass-mailing
    worms plaguing the Internet today.
    To date, no programs are known to exploit the vulnerability.
    Microsoft notified security experts of the problem late Wednesday and
    already has a patch for companies using its Exchange Server 2000. The
    previous version of Exchange--version 5.5--does not have the
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Fri Jun 08 2001 - 02:55:05 PDT