SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips

Vulnerability Note VU#149424

Outlook Web Access (OWA) executes scripts contained in email attachment opened via Microsoft Internet Explorer (IE)

Overview

Microsoft Outlook Web Access (OWA) can run malicious scripts on an Exchange server when Internet Explorer (IE) users open email attachments.

I. Description

OWA allows users to access their email accounts on a Microsoft Exchange server from another host through a web browser. When IE users access their email through some versions of OWA and choose to open an email attachment that contains malicious script in HTML, IE may execute the script on the client side. If executed, the script would have all privileges of the OWA user, including access to and manipulation of messages and folders on the server.

This vulnerability affects OWA implementations in Microsoft Exchange 5.5 and Exchange 2000. Exploitation of this vulnerability requires the user to open an email attachment. This vulnerability applies to all attachments, regardless of the attachment's file type.

II. Impact

Malicious scripts could access all email messages stored on the server, breaching assumed confidentiality of the messages. Malicious scripts could also delete messages or rearrange messages among folders.

III. Solution

Download the patch available from Microsoft through its advisory at:

http://www.microsoft.com/technet/security/bulletin/ms01-030.asp
Take great care when choosing whether to open any email attachment. Do not open any email attachment if you are not sure that its content is safe. A malicious attachment may appear to come from someone you trust. Verify that the attachment was sent intentionally by the sender before opening it.

Systems Affected

VendorStatusDate NotifiedDate Updated
MicrosoftVulnerable5-Jul-2001

References


http://www.microsoft.com/technet/security/bulletin/MS01-030.asp
http://www.securityfocus.com/bid/2832

Credit

Thanks to Microsoft for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

Date Public:2001-06-06
Date First Published:2001-08-29
Date Last Updated:2001-08-30
CERT Advisory: 
CVE-ID(s):CAN-2001-0340
NVD-ID(s):CAN-2001-0340
US-CERT Technical Alerts: 
Metric:0.68
Document Revision:17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader