A FLAW IN the Outlook Web Access module in Microsoft's Exchange 5.5 e-mail system could allow unauthorized access to user's mailboxes, the company warned late Thursday.

   ADVERTISEMENT
  

Free IT resource

Virtualization Insights from Top Experts - Learn how virtualization gets real!

Sponsored by Dell

Free IT resource

TechNet: More ways to know it, share it, and keep it running.

Sponsored by Microsoft

RELATED LINKS
»  IE 7 bug reopens debate over patch responsibilities
»  Woman ordered to pay for file-sharing will appeal
»  McAfee to buy SafeBoot for $350M
»  Security RSS feed 

IDG ENTERPRISE NETWORK
Research Reports  (CIO)
Ask the Expert  (CIO)

TOP NEWS 


IT SOLUTION SEARCH
The problem lies in the way Outlook Web Access handles inline script in HTML e-mail messages, Microsoft said in a security bulletin. An attacker can get full control over a mailbox when his e-mail with embedded malicious code is opened using Microsoft's Internet Explorer browser and Outlook Web Access, Microsoft said.

Although the attacker can delete mailbox contents, move messages, and send messages as if they were the user, it isn't possible to send e-mail to addresses in the user's address book, preventing a mass-mailing attack, Microsoft said.

Outlook Web Access allows users to access their e-mail via the Web, rather than using the Outlook client software on their PC.

Microsoft is having a tough time securing Outlook Web Access. In June it took the company three patches to plug a similar hole. The first and second patches for the hole, which affected both Exchange 2000 Server and Exchange 5.5, left administrators with dysfunctional e-mail systems.

Microsoft, which gives the vulnerability a "moderate" severity rating, urges administrators who have deployed Outlook Web Access to immediately install a patch to fix the flaw. The patch is available from Microsoft's TechNet Web site.

Microsoft's security bulletin can be viewed on the Web at: www.microsoft.com/technet/security/bulletin/MS01-057.asp