Microsoft plugs hole in Exchange

The vulnerability revealed in Tuesday's advisory could be exploited to target people using the Web e-mail component for Exchange, called Outlook Web Access, Microsoft said. An attacker with an account on a company's Exchange server could create a script that, when run by an OWA user on the same server, would give access to the victim's e-mail boxes and information.

The flaw also allows the malicious programmer to place spoofed content, such as fake graphics and Web pages, in the server's cache of Web content.

The vulnerability is not easy to exploit, said Stephen Toulouse, a security program manager at Microsoft, citing several preconditions to making an attack work.

"The attacker would have to have an account, and the user would have to allow access," he said.

Last week, Microsoft shipped its largest collection of fixes and new features for its Windows operating system to manufacturers. The software update, dubbed Service Pack 2, improves the firewall, adds a software applet that displays the current security status of a PC and bolsters other aspects of PC security, the company said.

The SP2 security update does not address server issues, such as the latest Exchange flaw. The problem is in a category known as cross-site scripting vulnerabilities, which enable one site with a more lenient security model to be used to bypass another site's more stringent security.

"Cross-site scripting vulnerabilities are always the more complex ones," Toulouse said. "And this one is really complex."

The vulnerability does not affect Microsoft's most recent e-mail software--Exchange 2000 and Exchange 2003--and will not be a risk if a company using Exchange 5.5 does not have the OWA component installed, Toulouse said.

The Exchange 5.5 patch can be downloaded from Microsoft's Web site. Sanctum, a Web application security provider, found the flaw, the software maker stated in its advisory.