Security hole found in Exchange 2000

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6217519.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com 
June 7, 2001, 12:00 p.m. PT 

Microsoft revealed a security hole in its Exchange 2000 mail server
Wednesday that could allow an attacker to target corporate employees
with programs that delete their mail.

The flaw affects only companies that use a program included by
Microsoft in its Exchange mail server package. Known as Outlook Web
Access, the program allows companies to offer e-mail access to
employees via a Web browser.

According to the software giant, Outlook Web Access and the Internet
Explorer browser don't play well together. Because the two programs
aren't entirely on the same page, an e-mail attachment that appears to
be a text file could contain a script that, when opened with Internet
Explorer, would be able to modify a person's in-box and other mail
folders.

"It's not something that is going to reformat your hard drive," said
Christopher Budd, program manager with Microsoft's security response
center. "The script can only do what the browser will allow it to do;
you cannot write files to the machine through the browser."

A malicious program could, however, add, delete and modify the data
and messages in a person's in-box, according to the Microsoft
advisory.

To exploit the flaw, an attacker would have to create a special text
attachment that includes HTML code and scripts. While the attachment
would appear to be a text file to the recipient, once opened, the
script would automatically execute without notification.

Under Outlook and other mail clients, an HTML file would either be
identified as such--with an icon that looks like an HTML page--or be
considered a text file and not executed. The Outlook Web Access flaw
makes the file appear as text but executes it as if it were HTML.

Worse, while Windows normally warns a user when a script runs, in this
case, it does not.

The good news, said Microsoft's Budd, is that--because the
vulnerability affects only Web mail users and not those using Outlook
or Outlook Express--anyone exploiting the flaw will not have much
success.

"This is really dependent on someone reading the attachment" via a Web
browser, he said. "If I sent a virus out to a million people, only a
small percentage would be affected."

Furthermore, the flaw does not allow a malicious program to
automatically send e-mail, a tactic common among the mass-mailing
worms plaguing the Internet today.

To date, no programs are known to exploit the vulnerability.

Microsoft notified security experts of the problem late Wednesday and
already has a patch for companies using its Exchange Server 2000. The
previous version of Exchange--version 5.5--does not have the
vulnerability.



ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.