FIRMS RUNNING Microsoft's Exchange mail server could find that users of its Outlook Web Access (OWA) software have their sessions hijacked.
A security vulnerability in Exchange Server 2003 SP2 and Exchange
Server 2007 SP1 and SP2 means that attackers can take control of a
user's OWA session and issue commands up to the level permitted by
security controls without the user knowing. OWA is a rich 'web mail'
client that is offered by Exchange Server and has the look and feel of
Microsoft's standalone Outlook software.
Microsoft's proposed solution to the problem might raise the ire of it customers. In the security advisory
the Vole says, "Microsoft recommends that customers running affected
editions of Microsoft Exchange Server upgrade to a non-affected version
of Microsoft Exchange Server to address the vulnerability." Of course
system administrators have nothing better to do than upgrade the version
of Exchange on all of their mail servers and shift thousands of
mailboxes to a new version of Exchange.
Microsoft does give a helping hand, though, by providing a handy list
of the Exchange versions that are not affected, and those include
Exchange 2000 SP3, 2007 SP3, 2010 and 2010 SP1.
The Vole also recommends segmenting user rights in OWA to limit the
potential for damage by hackers. If you feel like implementing a
particularly useless 'fix', then Microsoft also offers a way of hiding
the display of the OWA options panel, which should flummox only the most
novice of script kiddies.
Now all that's left is for Microsoft email system administrators to
pick which day to come in at 3AM in order to overcome yet another
security hole in Exchange. µ
