XGEN: Incorrect Attachment Processing in Exchange 2000 Outlook Web Access Can Run Script (299535)


The information in this article applies to:

  • Microsoft Exchange 2000 Server
This article was previously published under Q299535
On June 06, 2001 Microsoft released the original version of this patch. Microsoft subsequently identified two issues that necessitated updating the patch on June 08, 2001:
  • The vulnerability was found to affect Microsoft Exchange Server 5.5. Microsoft has developed a patch that eliminates the vulnerability, and recommends that customers that offer Microsoft Outlook Web Access (OWA) services by using Exchange Server 5.5 install this patch.For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

    301361 XGEN: Incorrect Attachment Processing in Exchange Server 5.5 Outlook Web Access Can Run Script

  • A regression error was identified in the patch that was originally provided for Exchange 2000. Microsoft has corrected the error and provided an updated version of the patch. Microsoft recommends that customers who installed the original version of the Exchange 2000 patch install the updated version.

SYMPTOMS

OWA is a service of Exchange 2000 Server that a user can use to gain access to an Exchange mailbox by using a Web browser. However, a vulnerability exists in the interaction between OWA and Microsoft Internet Explorer for message attachments. If an attachment contains Hypertext Markup Language (HTML) code that includes script, the script is run when the user opens the attachment, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script can take action against the user's Exchange mailbox.

An attacker might use this vulnerability to construct an attachment that contains malicious script code. The attacker can then send the attachment in a message to a user. If the user opens the attachment in OWA, the script runs and can take action against the user's mailbox as if the script is the user, including, under certain circumstances, manipulation of messages or folders.

The following are mitigating factors:
  • The vulnerability can only be exploited if the user is using OWA in conjunction with Internet Explorer.
  • The vulnerability can only be exploited by attachments that are received by using OWA. In general, an attacker has no way to determine whether a user will open an attachment by using OWA rather than Microsoft Outlook.
  • An attacker's ability to exploit this vulnerability requires that the attacker entice the user to open an attachment from an untrusted source. The best practice is not to open any attachment from an unknown or untrusted source.

RESOLUTION

The following files are available for download from the Microsoft Download Center:

English: DownloadDownload Q299535engi386.exe now

French: DownloadDownload Q299535frni386.exe now

German: DownloadDownload Q299535geri386.exe now

Italian: DownloadDownload Q299535itni386.exe now

Japanese: DownloadDownload Q299535jpni386.exe now

Spanish: DownloadDownload Q299535spai386.exe now

Release Date: June 8, 2001

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. To resolve this problem, obtain the latest service pack for Microsoft Exchange 2000 Server. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

301378 XGEN: How to Obtain the Latest Exchange 2000 Server Service Pack

The English version of this fix should have the following file attributes or later:

Component: OWA

File nameVersion
Davex.dll6.0.4419.27
Excdo.dll6.0.4419.27
Exoledb.dll6.0.4419.27
Exprox.dll6.0.4419.27
Mdbsz.dll6.0.4419.27
Store.exe6.0.4419.27

STATUS

Microsoft has confirmed that this problem may cause a degree of security vulnerability in Microsoft Exchange 2000 Server.

This problem was first corrected in Microsoft Exchange 2000 Server Service Pack 1.

MORE INFORMATION

For more information about this security vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/MS01-030.asp

Modification Type:MajorLast Reviewed:6/22/2004
Keywords:kbbug kbExchange2000preSP1fix kbfix kbQFE KB299535
©2004 Microsoft Corporation. All rights reserved.