The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in Exchange Server 5.5 Outlook Web Access Allows CSS and
Spoofing Attacks (MS04-026)
------------------------------------------------------------------------
SUMMARY
This update resolves a newly discovered, privately reported vulnerability.
A cross-site scripting and spoofing vulnerability exists in Outlook Web
Access for Exchange Server 5.5 that could allow an attacker to convince a
user to run a malicious script.
An attacker who successfully exploited the vulnerability could manipulate
Web browser caches and intermediate proxy server caches, and put spoofed
content in those caches. They may also be able to exploit the
vulnerability to perform cross-site scripting attacks.
DETAILS
Affected Software:
* Microsoft Exchange Server 5.5 SP4
Non-Affected Software:
* Microsoft Exchange 2000 Server
* Microsoft Exchange Server 2003
Affected Components:
* Outlook Web Access -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=66E4E033-5A4C-4EEC-84F1-31F0CA878092&displaylang=en>
Download the update
This is a cross-site scripting and spoofing vulnerability. The cross-site
scripting vulnerability could allow an attacker to convince a user to run
a malicious script. If this malicious script is run, it would execute in
the security context of the user. Attempts to exploit this vulnerability
require user interaction. This vulnerability could allow an attacker
access to any data on the Outlook Web Access server that was accessible to
the individual user.
It may also be possible to exploit the vulnerability to manipulate Web
browser caches and intermediate proxy server caches, and put spoofed
content in those caches.
Workaround:
Microsoft has tested the following workarounds. While these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
below.
* Disable Outlook Web Access for Each Exchange Site
You can disable Outlook Web Access by following these steps. You must
follow these steps on each Exchange site.
1. Start Exchange Administrator.
2. Expand the Configuration container for the site.
3. Click the Protocols container for the site.
4. Open the properties of the HTTP (Web) Site Settings object.
5. Click to clear the Enable Protocol check box.
6. Wait for the change to replicate, and then verify that this change has
replicated to each server in the site. To do this, bind to each server in
the site with Exchange Administrator, and then view the setting.
Impact of Workaround:
Users cannot access to their mailboxes using Outlook Web Access.
* Remove Outlook Web Access
For steps on how to remove Outlook Web Access, see Microsoft Knowledge
Base Article <http://support.microsoft.com/default.aspx?kbid=290287>
290287.
Impact of Workaround:
Users cannot access to their mailboxes using Outlook Web Access
For additional information about how to help secure your Exchange
environment, visit the <http://go.microsoft.com/fwlink/?LinkId=33382>
Security Resources for Exchange 5.5 Web site.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0203>
CAN-2004-0203
What updates does this release replace?
This update replaces the security update that is provided in Microsoft
Security Bulletin MS03-047.
Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if
this update is required?
Yes. MBSA will determine if this update is required. For more information
about MBSA, visit the MBSA Web site.
Note After April 20, 2004, the Mssecure.xml file that is used by MBSA
1.1.1 and earlier versions is no longer being updated with new security
bulletin data. Therefore, scans that are performed after that date with
MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA
1.2 because it provides more accurate security update detection and
supports additional products. Users can download MBSA 1.2 from the MBSA
Web site. For more information about MBSA support, visit the following
Microsoft Baseline Security Analyzer 1.2 Q&A Web site.
Can I use Systems Management Server (SMS) to determine if this update is
required?
Yes. SMS can help detect and deploy this security update. For information
about SMS, visit the SMS Web site.
What is the scope of the vulnerability?
This is a cross-site scripting and spoofing vulnerability. The cross-site
scripting vulnerability could allow an attacker to convince a user to run
a malicious script. If this malicious script is run, it would execute in
the security context of the user. Attempts to exploit this vulnerability
require user interaction. This vulnerability could allow an attacker
access to any data on the Outlook Web Access server that was accessible to
the individual user.
It may also be possible to exploit the vulnerability to manipulate Web
browser caches and intermediate proxy server caches, and put spoofed
content in those caches.
What causes the vulnerability?
Outlook Web Access does not properly validate input that is provided to a
HTML redirection query before it sends this input to the browser.
What is Outlook Web Access?
Microsoft Outlook Web Access is a service of Microsoft Exchange Server. By
using Outlook Web Access, users can access their Exchange mailbox through
a Web browser. By using Outlook Web Access, a server that is running
Exchange Server can also function as a Web site that lets authorized users
read or send mail, manage their calendar, or perform other mail functions
over the Internet.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could perform
cross-site scripting attacks, display spoofed responses to users, or
redirect server responses to another user.
How could an attacker exploit the vulnerability?
An attacker could create an e-mail message that is specially crafted to
attempt to exploit this vulnerability. An attacker could exploit the
vulnerability by sending this specially crafted e-mail message to a user
of a server that is running Outlook Web Access for Exchange Server 5.5. An
attacker could then persuade the user to click a link in the e-mail
message.
It may also be possible to exploit the vulnerability to manipulate Web
browser caches and intermediate proxy server caches and put spoofed
content in those caches.
What systems are primarily at risk from the vulnerability?
Systems running Outlook Web Access for Exchange Server 5.5 are primarily
at risk from this vulnerability.
Are all supported versions of Outlook Web Access vulnerable?
No. The vulnerability affects only Outlook Web Access for Exchange Server
5.5. Outlook Web Access for Exchange 2000 Server and Outlook Web Access
for Exchange Server 2003 are not vulnerable.
On which Exchange servers should I install the update?
This update is intended only for servers that are running Outlook Web
Access for Exchange Server 5.5. You do not have to install this update on
servers that are not running Outlook Web Access for Exchange Server 5.5.
I have customized my Outlook Web Access site, what do I do?
Customers who have customized any of the ASP pages that are listed in the
File Information section in this security bulletin should back up those
files before they apply this update because these pages will be
overwritten when the update is applied. Any customizations would then have
to be reapplied to the new ASP pages. See Microsoft Knowledge Base Article
327178 for the Microsoft support policy for the customization of Outlook
Web Access.
What does the update do?
The update removes the vulnerability by modifying the way that Outlook Web
Access validates input that is provided to an HTTP redirection query
before it sends this input to the client.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly disclosed when this security bulletin was
originally issued.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS04-026.mspx>
http://www.microsoft.com/technet/security/bulletin/MS04-026.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
