Microsoft Security Advisory (2401593)

Vulnerability in Outlook Web Access Could Allow Elevation of Privilege

Published: Tuesday, September 14, 2010

Version: 1.0

General Information

Executive Summary

Microsoft has completed the investigation of a publicly disclosed vulnerability in Outlook Web Access (OWA) that may affect Microsoft Exchange customers. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session. The attacker could then perform actions on behalf of the authenticated user without the user's knowledge, within the security context of the active OWA session.

This vulnerability affects supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 (except Microsoft Exchange Server 2007 Service Pack 3). Microsoft Exchange Server 2000, Microsoft Exchange Server 2007 Service Pack 3, and Microsoft Exchange Server 2010 are not affected by the vulnerability. For more information, see the section, Affected and Non-Affected Software.

Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Customers who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability.

At this time, we are unaware of any attacks attempting to exploit this vulnerability. We will continue to monitor the threat landscape and update this advisory if the situation changes.

Advisory Details

Issue References

For more information about this issue, see the following references:

References	Identification
CVE Reference	CVE-2010-3213

Affected and Non-Affected Software

This advisory discusses the following software.


Affected Software
Microsoft Exchange Server 2003 Service Pack 2
Microsoft Exchange Server 2007 Service Pack 1
Microsoft Exchange Server 2007 Service Pack 2
Non-Affected Software
Microsoft Exchange Server 2000 Service Pack 3
Microsoft Exchange Server 2007 Service Pack 3
Microsoft Exchange Server 2010
Microsoft Exchange Server 2010 Service Pack 1

Frequently Asked Questions

What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Outlook Web Access (OWA) for Microsoft Exchange Server. This affects the software that is listed in the Affected Software section.

What is Exchange Outlook Web Access (OWA)?
Outlook Web Access (OWA) is a webmail service of Microsoft Exchange Server 5.0 and later. The Web interface of Outlook Web Access resembles the interface in Microsoft Outlook. Outlook Web Access comes as a part of Microsoft Exchange Server.

What causes this threat?
Under certain circumstances, an authenticated OWA session can be hijacked by an attacker to perform actions on behalf of the user without the user's knowledge.

What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could perform actions on behalf of the authenticated user in the security context of the active OWA session, such as reading e-mail messages, adding new inbox rules, or changing OWA user preferences.

How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by convincing a targeted user to visit a malicious Web page that the attacker crafted specifically for the targeted Exchange domain, during an active OWA session.

Why is there no security update to address this vulnerability?
A security update is not available because addressing the vulnerability would require a design change to implement a new http request verification framework for OWA to help prevent an attacker from hijacking a user's OWA session. Microsoft has determined that introducing a design change of such a magnitude into affected versions of Microsoft Exchange Server would bear too high a risk of destabilizing and breaking customer environments.

What do I do if I am using versions of the product for which an update is not available?
Administrators running affected editions of Microsoft Exchange Server should upgrade to a non-affected version of Microsoft Exchange Server. Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010 are not affected by the vulnerability.

Administrators who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability.

I am using an older release of the software discussed in this security advisory. What should I do?
The affected software listed in this advisory have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

Mitigating Factors and Suggested Actions

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Feedback

You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.

Support

Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (September 14, 2010): Advisory published.