The vulnerability is caused by a flaw in the way Outlook Web Access handles online script messages with Internet Explorer. According to Microsoft, a carefully crafted HTML message with a certain script would enable someone to "take any action against the user's Exchange mailbox," such as sending, moving, and deleting messages. The attacker can use this flaw by sending an E-mail to someone. If the victim opens the message in Outlook Web Access, he or she is vulnerable to this exploit.
This flaw, discovered by Lex Arquette of consulting firm WhiteHat Security, is only the most recent security problem Microsoft has faced with Outlook Web Access. Earlier this year, the company had to publish three patches to fix a similar problem.
Microsoft has rated the risk of this vulnerability "medium" and is urging users to download a patch available on its Web site, www.microsoft.com/security.