| GuardDog Security | Flaw in OWA's Handling of HTML E-mail |
12/07/01 -
INFORMATION ALERT
AN EMERGING ISSUE WITH:
OUTLOOK WEB ACCESS FOR EXCHANGE 5.5
SEVERITY:
Medium
DATE:
December 7, 2001
SUMMARY:
Late December 6, Microsoft released a security bulletin
warning about a vulnerability in the way Exchange 5.5 with
Outlook Web Access (OWA) handles scripts in HTML-based e-
mails. A hacker could craft a specific script which, when
opened with Internet Explorer through OWA, could
automatically execute and give the attacker full control
over the victim's Exchange mailbox. There is no direct
impact on WatchGuard products. Administrators running
Exchange 5.5 with OWA should apply Microsoft's patch as soon
as possible.
EXPOSURE:
Outlook Web Access (OWA), a service that comes with
Microsoft Exchange 5.5, allows users to access their e-mail
through a convenient Web page. Security researcher Lex
Arquette found that if an attacker crafted a special script
within an HTML based e-mail, the script would automatically
execute when opened through OWA with Internet Explorer. Once
executed, this script could do anything the local user could
do to the Exchange mail box in question. This includes
sending out new e-mail messages in the user's name, or
deleting existing e-mail.
This attack will only succeed if the victim opens the
malicious e-mail using Microsoft Internet Explorer through
OWA. If the intended victim uses any other mail client, such
as Outlook, the attack would fail. This attack also requires
that the hacker have knowledge of the victim's e-mail client
usage and version of OWA. While these factors limit the
risk, they do not eliminate it. A typical hacker approach
would be to build a tool that automates the attack, and try
it on a thousand machines until a vulnerable machine is
found.
The damage from this attack, although significant to the
victim, is limited in scope. This exploit only gives an
attacker access to the victim's Exchange mailbox. That could
be very significant if the victim is someone whose e-mails
concern confidential pricing, R&D results, or merger
information; it would be less significant if the victim
mailbox is used solely for ordering janitorial supplies.
SOLUTION PATH:
Microsoft has made a patch available to fix this issue. You
can find it here
34402>.
-- For GuardDog Users:
This attack relies on a combination of e-mail and Web
traffic, and cannot be blocked unless you are willing to
block all e-mail and Web traffic. Applying the patch is your
primary recourse.
STATUS:
A patch is available. We recommend you apply it as soon as
possible.
DIRECT IMPACT ON GUARDDOG PRODUCTS:
There is no direct impact on GuardDog products.
IMPACT ON NETWORKS PROTECTED BY GUARDDOG PRODUCTS:
An attacker in a remote location could access the mailboxes
of users on a network running Exchange 5.5 with Outlook Web
Access.
REFERENCES:
Microsoft Security Bulletin MS01-057
/technet/security/bulletin/ms01-057.asp>
|
|
