MS plugs 'moderate' Exchange vuln
DEFCON 0.02 or thereabouts
Microsoft's patch train rolled into town last night with one solitary occupant. After the release of XP SP2 last Friday it's just as well that the only extra thing sysadmins have to contend with is a not-especially devastating vulnerability involving Exchange.
Microsoft has issued a patch which aims to address a cross-site scripting and spoofing vulnerability in Outlook Web Access feature of Exchange Server 5.5. This flaw could be exploited to trick a user into running a malicious script, which would run in the security context of a user. It may also be possible to exploit the flaw to manipulate Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.
The vulnerability affects only Outlook Web Access for Exchange Server 5.5. Outlook Web Access for Exchange 2000 Server and Outlook Web Access for Exchange Server 2003 are not vulnerable.
Redmond describes the vulnerability as moderate, way below the dreaded critical and important designations on its peril index. The alternative workaround is to disable Outlook Web Access, the service that allows users to access their Exchange mailbox through a browser
Microsoft recommends that customers "consider applying" the security update. Its advisory is here. ®