Feeds

MS patches Exchange 2000 email spy bug

Outlook Web Access flaw

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Crackers could ferret their way into a victim's email by exploiting the way that Exchange 2000 allows users to access their in-boxes over the Web.

Microsoft has issued a patch; the flaw revolves around the interaction between Outlook Web Access and Internet Explorer in handling message attachments.

If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. In the hands of even a modestly skilled attacker this could be used to create maliciously constructed emails designed to break into user's In-boxes, as Microsoft states.

In a security notice on the issue, Microsoft said: "If the user opened a [maliciously constructed] attachment in Outlook Web Access, the script would execute and could take action against the user's mailbox as if it were the user, including, under certain circumstances, manipulation of messages or folders."

This attack relies on the use of Outlook Web Access to read emails, emails opened locally aren't subject to the vulnerability, the flaw could be a relatively easy way to try a spot of industrial espionage - or worse - so it should be addressed sooner rather than later. ®

External links

Microsoft bulletin: Incorrect Attachment Handling in Exchange 2000 OWA Can Execute Script

Related stories

Win2K SP2 and broken Exchange2K servers
E-mail wiretapping used to spy on corporate communications
Lookout for Internet Explorer bugs
Reports of death of email viruses greatly exaggerated?
Rise in viruses within emails outpacing growth of email
Anna Kournikova bug drops harmlessly onto the Net
Users haven't learned any lessons from the Love Bug

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
5 critical considerations for enterprise cloud backup
Key considerations when evaluating cloud backup solutions to ensure adequate protection security and availability of enterprise data.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.