Severity: Medium
8 July, 2008
Summary:
§ This vulnerability affects: Exchange Servers running Outlook Web Access (OWA)
§ How an attacker exploits it: By enticing one of your users into opening a specially crafted email within an OWA session
§ Impact: The attacker gains access to the victim’s OWA email account
§ What to do: Deploy the appropriate Exchange Server patch as soon as possible
Severity: Medium
8 July, 2008
Summary:
§ This vulnerability affects: Exchange Servers running Outlook Web Access (OWA)
§ How an attacker exploits it: By enticing one of your users into opening a specially crafted email within an OWA session
§ Impact: The attacker gains access to the victim’s OWA email account
§ What to do: Deploy the appropriate Exchange Server patch as soon as possible
Exposure:
Outlook Web Access (OWA) is a service that comes with Microsoft Exchange and allows users to access their e-mail through a convenient Web page. In a security bulletin released today as part of its monthly patch update, Microsoft describes two cross-site scripting (XSS) vulnerabilities that affect Exchange Servers running OWA. While technically different, both vulnerabilities have the same scope and impact. If an attacker can entice one of your users into opening a specially crafted email via an active OWA session, he could exploit either XSS vulnerability to gain access to that user’s OWA account. This means the attacker could read, send, or delete any of that user’s email.
Solution Path:
Microsoft has released patches to fix these vulnerabilities. You should download, test, and deploy the appropriate Exchange patch as soon as possible.
For All WatchGuard Users:
These attacks travel as normal-looking email traffic, which you must allow if you want users to receive email. Therefore, the patches above are your best solution.
Status:
Microsoft has released patches to fix these vulnerabilities.