Microsoft Security Advisory 2401593
Vulnerability in Outlook Web Access Could Allow Elevation of Privilege
Published: September 14, 2010
Microsoft has completed the investigation of a publicly disclosed vulnerability in Outlook Web Access (OWA) that may affect Microsoft Exchange customers. An attacker who successfully exploited this vulnerability could hijack an authenticated OWA session. The attacker could then perform actions on behalf of the authenticated user without the user's knowledge, within the security context of the active OWA session.
This vulnerability affects supported editions of Microsoft Exchange Server 2003 and Microsoft Exchange Server 2007 (except Microsoft Exchange Server 2007 Service Pack 3). Microsoft Exchange Server 2000, Microsoft Exchange Server 2007 Service Pack 3, and Microsoft Exchange Server 2010 are not affected by the vulnerability. For more information, see the section, Affected and Non-Affected Software.
Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Customers who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability.
At this time, we are unaware of any attacks attempting to exploit this vulnerability. We will continue to monitor the threat landscape and update this advisory if the situation changes.
For more information about this issue, see the following references:
Affected and Non-Affected Software
This advisory discusses the following software.
|Microsoft Exchange Server 2003 Service Pack 2|
|Microsoft Exchange Server 2007 Service Pack 1|
|Microsoft Exchange Server 2007 Service Pack 2|
|Microsoft Exchange Server 2000 Service Pack 3|
|Microsoft Exchange Server 2007 Service Pack 3|
|Microsoft Exchange Server 2010|
|Microsoft Exchange Server 2010 Service Pack 1|
What is the scope of the advisory?
Microsoft is aware of a new vulnerability report affecting Outlook Web Access (OWA) for Microsoft Exchange Server. This affects the software that is listed in the Affected Software section.
What is Exchange Outlook Web Access (OWA)?
Outlook Web Access (OWA) is a webmail service of Microsoft Exchange Server 5.0 and later. The Web interface of Outlook Web Access resembles the interface in Microsoft Outlook. Outlook Web Access comes as a part of Microsoft Exchange Server.
What causes this threat?
Under certain circumstances, an authenticated OWA session can be hijacked by an attacker to perform actions on behalf of the user without the user's knowledge.
What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could perform actions on behalf of the authenticated user in the security context of the active OWA session, such as reading e-mail messages, adding new inbox rules, or changing OWA user preferences.
How could an attacker exploit the vulnerability?
An attacker could exploit this vulnerability by convincing a targeted user to visit a malicious Web page that the attacker crafted specifically for the targeted Exchange domain, during an active OWA session.
Why is there no security update to address this vulnerability?
A security update is not available because addressing the vulnerability would require a design change to implement a new http request verification framework for OWA to help prevent an attacker from hijacking a user's OWA session. Microsoft has determined that introducing a design change of such a magnitude into affected versions of Microsoft Exchange Server would bear too high a risk of destabilizing and breaking customer environments.
What do I do if I am using versions of the product for which an update is not available?
Administrators running affected editions of Microsoft Exchange Server should upgrade to a non-affected version of Microsoft Exchange Server. Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010 are not affected by the vulnerability.
Administrators who are unable to upgrade at this time can refer to the Workarounds section for options that can help limit how an attacker can exploit the vulnerability.
I am using an older release of the software discussed in this security advisory. What should I do?
The affected software listed in this advisory have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
- In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
The following workarounds refer to a setting or configuration change that does not correct the underlying issue but would help limit what an attacker might use the vulnerability to do.
Note These workarounds do not block known attack vectors, but instead help limit how an attacker can exploit the vulnerability by selectively disabling functionality.
Disable rules by using segmentation
Segmentation can be performed on a per-server basis to change the functionality of Outlook Web Access. To prevent attackers from exploiting certain features in Outlook Web Access, Administrators may choose to implement segmentation to disable features selectively.
For information about how to disable rules by using segmentation in Microsoft Exchange Server 2007, see TechNet article, How to Manage Segmentation in Outlook Web Access.
For information about how to disable rules by using segmentation in Microsoft Exchange Server 2003, see Microsoft Knowledge Base Article 833340.
Impact of workaround. Disabling rules will prevent an attacker from modifying the user’s rules through OWA, preventing data exfiltration. However, an attacker could still modify a user’s other options. After implementing this workaround, users will no longer be able to create or update rules using OWA. Existing rules will continue to operate. The impact of this workaround only affects functionality in Outlook Web Access, not in an Outlook client.
Disable the Options panel by using UrlScan
Implementing this workaround will prevent an attacker from being able to view or modify any Exchange options through OWA, preventing most known attacks against the vulnerability described in this advisory.
For information about how to disable the Options panel by using UrlScan, see Microsoft Knowledge Base Article 2299129.
Impact of workaround. Users will no longer be able to modify Exchange options using OWA. Disabling Options also disables rules, as described above. The impact of this workaround only affects functionality in Outlook Web Access, not in an Outlook client.
Additional Suggested Actions
Upgrade to a non-affected version of Microsoft Exchange Server
Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability. Microsoft Exchange Server 2007 Service Pack 3 and Microsoft Exchange Server 2010 are not affected by the vulnerability.
Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (September 14, 2010): Advisory published.
Built at 2014-04-18T13:49:36Z-07:00