COMMAND

    Microsoft Exchange

SYSTEMS AFFECTED

    Microsoft Exchange 5.5, 2000 Server Outlook Web Access

PROBLEM

    Following  is  based  on  a  Microsoft Security Bulletin MS01-030.
    OWA is a service of Exchange 2000 Server that allows users to  use
    a web browser to access  their Exchange mailbox.  However,  a flaw
    exists  in  the  interaction  between  OWA  and  IE  for   message
    attachments.   If  an  attachment  contains  HTML  code  including
    script, the script will be executed when the attachment is opened,
    regardless  of  the  attachment  type.   Because OWA requires that
    scripting be enabled in the zone where the OWA server is  located,
    this script could take action against the user's Exchange mailbox.

    An  attacker  could  use  this  flaw  to  construct  an attachment
    containing malicious script  code.  The  attacker could then  send
    the attachment in a message to  the user.  If the user  opened the
    attachment in OWA, the script would execute and could take  action
    against the  user's mailbox  as if  it were  the user,  including,
    under certain circumstances, manipulation of messages or folders.

    The vulnerability could only be  exploited if the user were  using
    OWA in conjunction with IE.  The vulnerability is only exploitable
    by attachments that are received via OWA.  In general, an attacker
    would  have  no  way  to  determine  whether  a user would open an
    attachment using OWA rather than an Outlook client.

    An attacker's ability to exploit this vulnerability would  require
    that she entice the user  to open an attachment from  an untrusted
    source.  Best practices  recommend against opening any  attachment
    from an unknown or untrusted source.

    Acknowledgment goes to Joao Gouveia.  Btw, same bug applies to  MS
    Exchange 5.5.

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin

        http://www.microsoft.com/technet/security/bulletin/ms01-030.asp

    for information on obtaining this patch.  Note that the originally
    released  Exchange  2000  patch  has  been determined to contain a
    regression  error  that  can  cause  performance  problems  on the
    servers it is installed on.  It has been updated.

    Note that after applying the patch stores.exe consumed 100% of CPU
    and Exchange became non-responsive.   Some tasks timed out,  while
    others  could  be  performed  but  were  quite  sluggish.  It does
    affect clustered and  non clustered Exchange  servers in the  same
    way.

    Microsoft released 3rd  version of this  patch.  According  to the
    bulletin,  they   discovered  that   some  outdated   files   were
    inadvertantly placed in  the first updated  patch, and this  patch
    fixes  that  problem.   All  customers  who  have  downloaded  the
    Exchange 2000  patch prior  to June  12, 2001  install the updated
    version.