Microsoft Security Bulletin MS03-047
Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting Attack (828489)
Issued: October 15, 2003
Updated: April 12, 2004
Version Number: 2.1
Who Should Read This Document:
System administrators who have servers running Microsoft® Exchange Server 5.5 Outlook® Web Access
Impact of Vulnerability:
Remote Code Execution
Maximum Severity Rating:
System administrators should install this security patch on their servers running Outlook Web Access 5.5
This patch replaces Microsoft Security Bulletin MS01-057.
Customers who have customized any of the ASP pages in the File Information section in this document should backup those files before applying this patch as they will be overwritten when the patch is applied. Any customizations would then need to be reapplied to the new ASP pages.
- Version Requirements for Dependent Components for this patch:
To install successfully, this patch requires that the OWA server have Internet Explorer 5.01 or greater installed.
- Version Recommendations for Dependent Components for OWA:
At the time of this writing, the following versions are recommended for dependent components on the OWA server:
- IIS Version 4.0 on Windows NT 4.0 SP6
- IIS Version 5.0 on Windows 2000 SP2 or greater
- IE Version 5.5 SP2
- IE Version 6.0
Tested Software and Patch Download Locations:
- Microsoft Exchange Server 5.5, Service Pack 4 - Download the patch
Non Affected Software:
- Microsoft Exchange 2000 Server
- Microsoft Exchange Server 2003
The software listed above has been tested to determine if the above versions are affected. Other versions are no longer supported, and may or may not be affected.
Microsoft thanks the following for working with us to protect customers:
- Ory Segal of Sanctum Inc. for reporting the issue described in MS03-047.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
- Patches for consumer platforms are available from the WindowsUpdate web site
- Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches.
- The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
- Microsoft Software Update Services: http://www.microsoft.com/sus/
- Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/mbsa. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security patches that have detection limitations with MBSA tool.
- Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166
- Windows Update: http://windowsupdate.microsoft.com
- Office Update: http://office.microsoft.com/officeupdate/
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 October 15, 2003: First Published.
- V1.1 October 21, 2003:
- Removed unnecessary information from "Deployment" in the "Exchange Server 5.5 Service Pack 4" section of "Security Patch Information."
- Updated product specific information in the "Exchange Server 5.5 Service Pack 4" section of "Security Patch Information."
- Updated link in the "Severity Rating" section of "Technical Details".
- V2.0 October 22, 2003: Updated to include details of an additional patch for languages available through the Outlook Web Access language pack.
- V2.1 April 12, 2004: Updated correct registry entries.