1 min read

SECURITY: Another Week, Another Outlook Flaw

This flaw is in the way Outlook Web Access handles script messages. Microsoft rates the problem "medium."
Users of Microsoft's Exchange 5.5 E-mail server have been alerted to yet another serious vulnerability. Microsoft sent its 57th security bulletin of the year. This time, anyone can access and manipulate E-mail in someone's Exchange mailbox by using a Web browser, Microsoft says.

The vulnerability is caused by a flaw in the way Outlook Web Access handles online script messages with Internet Explorer. According to Microsoft, a carefully crafted HTML message with a certain script would enable someone to "take any action against the user's Exchange mailbox," such as sending, moving, and deleting messages. The attacker can use this flaw by sending an E-mail to someone. If the victim opens the message in Outlook Web Access, he or she is vulnerable to this exploit.

This flaw, discovered by Lex Arquette of consulting firm WhiteHat Security, is only the most recent security problem Microsoft has faced with Outlook Web Access. Earlier this year, the company had to publish three patches to fix a similar problem.

Microsoft has rated the risk of this vulnerability "medium" and is urging users to download a patch available on its Web site,