Original URL: http://www.theregister.co.uk/2004/08/11/ms_august_patch_batch/

MS plugs 'moderate' Exchange vuln

DEFCON 0.02 or thereabouts

By John Leyden

Posted in Security, 11th August 2004 10:12 GMT

Microsoft's patch train rolled into town last night with one solitary occupant. After the release of XP SP2 last Friday it's just as well that the only extra thing sysadmins have to contend with is a not-especially devastating vulnerability involving Exchange.

Microsoft has issued a patch which aims to address a cross-site scripting and spoofing vulnerability in Outlook Web Access feature of Exchange Server 5.5. This flaw could be exploited to trick a user into running a malicious script, which would run in the security context of a user. It may also be possible to exploit the flaw to manipulate Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.

The vulnerability affects only Outlook Web Access for Exchange Server 5.5. Outlook Web Access for Exchange 2000 Server and Outlook Web Access for Exchange Server 2003 are not vulnerable.

Redmond describes the vulnerability as moderate, way below the dreaded critical and important designations on its peril index. The alternative workaround is to disable Outlook Web Access, the service that allows users to access their Exchange mailbox through a browser

Microsoft recommends that customers "consider applying" the security update. Its advisory is here. ®

Related stories

MS hatches July patch batch
Long-awaited IE patch (finally) arrives
Microsoft drops WinXP SP2 surprise onto Beta site
How to order WinXP SP2 now