SecurityvulnsSECURITYVULNS:DOC:6596Microsoft Security Bulletin MS04-026 Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436)
Microsoft Security Bulletin MS04-026
Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436)
Issued: August 10, 2004
Version: 1.0
Summary
Who should read this document: System administrators who have servers running MicrosoftĀ® Exchange Server 5.5 OutlookĀ® Web Access
Impact of Vulnerability: Remote Code Execution
Maximum Severity Rating: Moderate
Recommendation: Customers should consider applying the security update.
Security Update Replacement: This update replaces the security update that is provided in Microsoft Security Bulletin MS03-047.
Caveats: Customers who have customized any of the Active Server Pages (ASP) pages that are listed in the File Information section in this document should back up those files before they apply this update because those ASPs will be overwritten when the update is applied. Any customizations would then have to be reapplied to the new ASP pages.
Version Requirements for Dependent Components for This Update:
To install successfully, this update requires that the Microsoft Outlook Web Access server have either: Internet Explorer 5.01 Service Pack 3 (SP3) installed when using Windows 2000 SP3; Internet Explorer 5.01 SP4 installed when using Windows 2000 SP4; or Internet Explorer 6 SP1installed when using other supported operating systems.
Version Recommendations for Dependent Components on the Outlook Web Access Server:
At the time of this writing, the following versions are recommended for dependent components on the Outlook Web Access server:
ā¢ Microsoft Internet Information Services (IIS):
ā¢ IIS 4.0 on Windows NT 4.0 SP6
ā¢ IIS 5.0 on Windows 2000 SP3 or later
ā¢ Microsoft Internet Explorer:
ā¢ Internet Explorer 6.0
Tested Software and Security Update Download Locations:
Affected Software:
ā¢ Microsoft Exchange Server 5.5 SP4
Non-Affected Software:
ā¢ Microsoft Exchange 2000 Server
ā¢ Microsoft Exchange Server 2003
Affected Components:
ā¢ Outlook Web Access - Download the update
The software in this list has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the following Microsoft Support Lifecycle Web site. Support for Outlook Web Access for Exchange Server 5.0 has ended.
Top of section
General Information
Executive Summary
Executive Summary:
This update resolves a newly-discovered, privately reported vulnerability. A cross-site scripting and spoofing vulnerability exists in Outlook Web Access for Exchange Server 5.5 that could allow an attacker to convince a user to run a malicious script. The vulnerability is documented in the Vulnerability Details section of this bulletin.
An attacker who successfully exploited the vulnerability could manipulate Web browser caches and intermediate proxy server caches, and put spoofed content in those caches. They may also be able to exploit the vulnerability to perform cross-site scripting attacks.
We recommend that customers consider applying the security update.
Note Customers who have customized any of the ASP pages that are listed in the File Information section in this document should back up those files before they apply this update because those ASPs will be overwritten when the update is applied. Any customizations would then have to be reapplied to the new ASP pages. See Microsoft Knowledge Base Article 327178 for the Microsoft support policy for the customization of Outlook Web Access.
Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers Impact of Vulnerability Exchange Server 5.5
Cross-site Scripting and Spoofing Vulnerability - CAN-2004-0203
Remote Code Execution
Moderate
This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Top of section
Frequently asked questions (FAQ) related to this security update
What updates does this release replace?
This update replaces the security update that is provided in Microsoft Security Bulletin MS03-047.
Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine if this update is required?
Yes. MBSA will determine if this update is required. For more information about MBSA, visit the MBSA Web site.
Note After April 20, 2004, the Mssecure.xml file that is used by MBSA 1.1.1 and earlier versions is no longer being updated with new security bulletin data. Therefore, scans that are performed after that date with MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA 1.2 because it provides more accurate security update detection and supports additional products. Users can download MBSA 1.2 from the MBSA Web site. For more information about MBSA support, visit the following Microsoft Baseline Security Analyzer 1.2 Q&A Web site.
Can I use Systems Management Server (SMS) to determine if this update is required?
Yes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site.
Top of section
Vulnerability Details
Cross-site and Spoofing Vulnerability - CAN-2004-0203:
This is a cross-site scripting and spoofing vulnerability. The cross-site scripting vulnerability could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. Attempts to exploit this vulnerability require user interaction. This vulnerability could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user.
It may also be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.
Mitigating Factors for Cross-site and Spoofing Vulnerability - CAN-2004-0203:
ā¢ The following supported versions of Outlook Web Access for Exchange are not affected
ā¢ Outlook Web Access for Exchange 2000 Server
ā¢ Outlook Web Access for Exchange Server 2003
Mitigating factors for cross site scripting attacks
ā¢ An attacker who successfully exploited the cross-site scripting aspect of this vulnerability would only gain the same privileges as the user when using Outlook Web Access.
Mitigating factors for placing spoofed content in a userās Web browser cache
ā¢ Clients who have turned on the Do not save encrypted pages to disk advanced Internet option in Internet Explorer would not be at risk from any attempts to put spoofed content into the client cache if they accessed their Outlook Web Access site through the Secure Sockets Layer (SSL) protocol.
Mitigating factors for placing spoofed content in an intermediate proxy serverās cache
ā¢ Clients who use SSL-protected connections to access Outlook Web Access would not be vulnerable to attempts to put spoofed content on intermediate proxy server caches. This is because SSL session data is encrypted and is not cached on intermediate proxy servers.
ā¢ If spoofed content is successfully put in an intermediate proxy serverās cache, it could be difficult for an attacker to predict which users would be served the spoofed cached content.
ā¢ An attacker must be able to log on to Outlook Web Access to attempt to exploit this vulnerability. If you do not allow anonymous access to Outlook Web Access, only authenticated users could attempt to exploit this vulnerability.
Top of section
Workarounds for Cross-site and Spoofing Vulnerability - CAN-2004-0203:
Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
ā¢ Disable Outlook Web Access for Each Exchange Site
You can disable Outlook Web Access by following these steps. You must follow these steps on each Exchange site.
Start Exchange Administrator.
Expand the Configuration container for the site.
Click the Protocols container for the site.
Open the properties of the HTTP (Web) Site Settings object.
Click to clear the Enable Protocol check box.
Wait for the change to replicate, and then verify that this change has replicated to each server in the site. To do this, bind to each server in the site with Exchange Administrator, and then view the setting.
Impact of Workaround: Users cannot access to their mailboxes using Outlook Web Access.
ā¢ Remove Outlook Web Access
For steps on how to remove Outlook Web Access, see Microsoft Knowledge Base Article 290287.
Impact of Workaround: Users cannot access to their mailboxes using Outlook Web Access
For additional information about how to help secure your Exchange environment, visit the Security Resources for Exchange 5.5 Web site.
Top of section
FAQ for Cross-site and Spoofing Vulnerability - CAN-2004-0203:
What is the scope of the vulnerability?
This is a cross-site scripting and spoofing vulnerability. The cross-site scripting vulnerability could allow an attacker to convince a user to run a malicious script. If this malicious script is run, it would execute in the security context of the user. Attempts to exploit this vulnerability require user interaction. This vulnerability could allow an attacker access to any data on the Outlook Web Access server that was accessible to the individual user.
It may also be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.
What causes the vulnerability?
Outlook Web Access does not properly validate input that is provided to a HTML redirection query before it sends this input to the browser.
What is Outlook Web Access?
Microsoft Outlook Web Access is a service of Microsoft Exchange Server. By using Outlook Web Access, users can access their Exchange mailbox through a Web browser. By using Outlook Web Access, a server that is running Exchange Server can also function as a Web site that lets authorized users read or send mail, manage their calendar, or perform other mail functions over the Internet.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could perform cross-site scripting attacks, display spoofed responses to users, or redirect server responses to another user.
How could an attacker exploit the vulnerability?
An attacker could create an e-mail message that is specially crafted to attempt to exploit this vulnerability. An attacker could exploit the vulnerability by sending this specially crafted e-mail message to a user of a server that is running Outlook Web Access for Exchange Server 5.5. An attacker could then persuade the user to click a link in the e-mail message.
It may also be possible to exploit the vulnerability to manipulate Web browser caches and intermediate proxy server caches and put spoofed content in those caches.
What systems are primarily at risk from the vulnerability?
Systems running Outlook Web Access for Exchange Server 5.5 are primarily at risk from this vulnerability.
Are all supported versions of Outlook Web Access vulnerable?
No. The vulnerability affects only Outlook Web Access for Exchange Server 5.5. Outlook Web Access for Exchange 2000 Server and Outlook Web Access for Exchange Server 2003 are not vulnerable.
On which Exchange servers should I install the update?
This update is intended only for servers that are running Outlook Web Access for Exchange Server 5.5. You do not have to install this update on servers that are not running Outlook Web Access for Exchange Server 5.5.
I have customized my Outlook Web Access site, what do I do?
Customers who have customized any of the ASP pages that are listed in the File Information section in this security bulletin should back up those files before they apply this update because these pages will be overwritten when the update is applied. Any customizations would then have to be reapplied to the new ASP pages. See Microsoft Knowledge Base Article 327178 for the Microsoft support policy for the customization of Outlook Web Access.
What does the update do?
The update removes the vulnerability by modifying the way that Outlook Web Access validates input that is provided to an HTTP redirection query before it sends this input to the client.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
Top of section
Top of section
Top of section
Security Update Information
Installation Platforms and Prerequisites:
For information about the specific security update for your platform, click the appropriate link:
Exchange Server 5.5 Service Pack 4
Prerequisites
This security update requires Outlook Web Access for Exchange Server 5.5 SP4.
The software that is listed has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support lifecycle for your product and version, visit the Microsoft Support Lifecycle Web site.
For more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.
Installation Information
This security update supports the following setup switches:
/x Generates a list of the packaged files.
/s Performs a silent installation.
/z The same as the /x switch, but the /z switch automatically restarts the computer.
/m Prompts you for the folder locations.
Note For additional information about the command options that you can use to apply this update, click the article number below to view the article in the Microsoft Knowledge Base:
257946 XGEN: GUI Hotfix Utility Switches /x /m /s /z
Deployment Information
The security update package Exchange5.5-KB842436-x86-<ServerLanguage>.exe contains three separate security updates:
Exchange5.5-KB842436a-x86-<ServerLanguage>.exe
Exchange5.5-KB842436b-x86-<ServerLanguage>.exe
Exchange5.5-KB842436c-x86-<ServerLanguage>.exe
NoteIn the following procedure, we refer to these updates as update "a," "b," and "c" respectively.
This security update has been separated into three parts because of the large number of files that are affected and to reduce the complexity of the installation scripts.
Running the main security update package will copy updates "a," "b," and "c" to a location that you specify. Running each of these updates will install the update on the server.
You must install update "a." Install updates "b" and "c only if your server uses one or more of the client languages that are contained in update "b" or in update "c."
To install the security update:
You must install the update (Exchange5.5-KB842436a-x86-<ServerLanguage>.exe) regardless of which languages are installed on the server running Outlook Web Access.
Update "a" will update the following:
CDO.dll, CDOHTML.dll, HTMLSNIF.dll, and SAFEHTML.dll.
You must install the Outlook Web Access language that matches the language that is specified on the server that is running Microsoft Exchange Server.
The following Outlook Web Access languages are available to install:
ā¢ Chinese (Simplified)
ā¢ Chinese (Traditional)
ā¢ English
ā¢ French
ā¢ German
ā¢ Italian
ā¢ Japanese
ā¢ Spanish
After the installation of update "a" finishes, install update "b," update "c," or both. You must install update "b" if any of the following Outlook Web Access languages are installed on your computer:
ā¢ Brazilian (Portuguese)
ā¢ Polish
ā¢ Russian
ā¢ Greek
ā¢ Portuguese
ā¢ Swedish
ā¢ Korean
You must install update "c" if any of the following Outlook Web Access languages are installed on your server:
ā¢ Hungarian
ā¢ Norwegian
ā¢ Czech
ā¢ Turkish
ā¢ Finnish
ā¢ Danish
ā¢ Dutch
NoteYou must install update "a" even if you only use languages that are contained in update "b" or in update "c." You must install update "a" to be able to install updates "b" and "c," and for these updates to function properly. You will not be able to install update "b" or update "c" unless you have already installed update "a."
NoteYou must not remove update "a" after you have installed update "b," after you have installed update "c," or both, even if you do not use the languages in update "a." Doing so could prevent updates "b" and "c" from functioning properly.
NoteOnly language packs that are already installed on the server will be updated. If you install update "b" or update "c" on servers where the appropriate languages are not installed, you will not cause any damage.
For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
Note After you install the update, you might see a blank message body when you open a message in Outlook Web Access if the permissions for the Windows directory on the server that is running Outlook Web Access are set to read-only. For more information about this, see Microsoft Knowledge Base Article 314532.
Restart Requirement
This update does not require a restart. However, the update will restart Microsoft Internet Information Services (IIS), the Exchange Store, and the Exchange System Attendant Services. Therefore, install the update when no users are logged on through Outlook Web Access.
Removal Information
To remove this security update, run the following command at a command prompt:
ā¢ %EXCHSRVR%\842346a\UNINSTALL\UNINST.EXE
ā¢ %EXCHSRVR%\842346b\UNINSTALL\UNINST.EXE
ā¢ %EXCHSRVR%\842346c\UNINSTALL\UNINST.EXE
You may also remove this update by using Add or Remove Programs in Control Panel. The updates are listed as follows:
ā¢ Security Update for Exchange Server 5.5 (KB842436a)
ā¢ Security Update for Exchange Server 5.5 (KB842436b)
ā¢ Security Update for Exchange Server 5.5 (KB842436c)
Note If you want to remove the update, you must remove update "b" and update "c" before you can remove update "a."
File Information
The English version of this update has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Note Date, time, and file name information could change during installation. See the Verifying Update Installation section for details on verifying an installation.
Exchange Server 5.5 Service Pack 4:
Date Time Version Size File name
18-May-2004 16:29 12,928 amunres.asp
18-May-2004 16:29 1,835 appts.asp
15-Jan-2004 17:49 5,761 attach.inc
18-May-2004 16:29 5,465 cmpatt.asp
18-May-2004 16:30 7,390 cmpmsg.asp
18-May-2004 16:29 3,133 cmpOpt.asp
18-May-2004 16:29 7,091 cmpTitle.asp
19-May-2004 20:01 5.5.2658.1080 2,576 cdo.dll
18-May-2004 16:30 5.5.2658.1053 7,360 cdohtml.dll
18-May-2004 16:29 11,862 commands.asp
18-May-2004 16:29 11,292 commands.asp
18-May-2004 16:29 22,722 commands.asp
18-May-2004 16:28 19,184 commands.asp
18-May-2004 16:28 18,172 commands.asp
18-May-2004 16:28 37,173 commands.asp
18-May-2004 16:28 21,240 commands.asp
18-May-2004 16:30 8,294 commands.asp
18-May-2004 16:30 13,271 contdet.asp
18-May-2004 16:30 796 delete.asp
18-May-2004 16:29 2,119 detcmds.asp
17-May-2004 17:29 1,655 encode.inc
18-May-2004 16:28 2,424 events.asp
18-May-2004 16:30 7,952 frmroot.asp
18-May-2004 16:29 1,854 frmroot.asp
18-May-2004 16:29 8,501 frmroot.asp
08-Jul-2004 22:35 7,961 frmroot.asp
18-May-2004 16:29 9,974 frmroot.asp
18-May-2004 16:28 9,705 frmroot.asp
18-May-2004 16:30 9,643 frmroot.asp
18-May-2004 16:30 7,951 frmroot.asp
18-May-2004 16:28 8,892 frmroot.asp
18-May-2004 16:28 30,942 frmRoot.asp
18-May-2004 16:30 11,544 frmroot.asp
18-May-2004 16:29 4,336 fumsg.asp
15-Nov-2002 18:41 6.5.6582.0 57,344 htmlsnif.dll
15-Nov-2002 18:41 6.5.6582.0 57,344 htmlsnif.dll
18-May-2004 16:30 2,645 item.asp
19-Oct-2000 07:00 3,686 jsroot.inc
18-May-2004 16:28 6,815 logon.asp
18-May-2004 16:29 2,963 logonfrm.asp
18-May-2004 16:28 5,783 main_fr.asp
18-May-2004 16:28 10,269 main_fr.asp
18-May-2004 16:29 11,166 main_fr.asp
18-May-2004 16:28 2,433 messages.asp
18-May-2004 16:28 2,542 messages.asp
19-Jul-2003 20:02 5,118 global.asa
18-May-2004 16:28 21,055 mrappt.asp
30-Jun-2004 21:47 5,934 mratt.asp
18-May-2004 16:28 2,931 mropt.asp
18-May-2004 16:28 12,675 mrplaner.asp
18-May-2004 16:28 14,620 mrread.asp
18-May-2004 16:30 26,555 mrrecur.asp
18-May-2004 16:29 10,735 mrtitle.asp
18-May-2004 16:28 3,458 openitem.asp
08-Jul-2004 22:30 12,233 pageutil.inc
18-May-2004 16:29 3,444 peerfldr.asp
18-May-2004 16:29 3,450 peerfldr.asp
18-May-2004 16:28 8,999 pick.asp
18-May-2004 16:29 3,174 pickform.asp
18-May-2004 16:30 5,534 postatt.asp
18-May-2004 16:29 5,452 postatt.asp
18-May-2004 16:29 11,230 postmsg.asp
18-May-2004 16:28 6,419 postmsg.asp
18-May-2004 16:30 5,189 postroot.asp
18-May-2004 16:30 6,485 postroot.asp
18-May-2004 16:29 7,896 posttitl.asp
18-May-2004 16:28 5,238 posttitl.asp
18-May-2004 16:28 9,770 read.asp
18-May-2004 16:29 10,641 read.asp
18-May-2004 16:29 9,899 read.asp
18-May-2004 16:29 14,601 read.asp
18-May-2004 16:30 2,575 read.asp
18-May-2004 16:28 6,835 root.asp
18-May-2004 16:29 8,185 root.asp
18-May-2004 16:28 5,468 rspatt.asp
18-May-2004 16:29 8,753 rspmsg.asp
18-May-2004 16:29 3,184 rspopt.asp
18-May-2004 16:28 7,776 rsptitle.asp
15-Nov-2002 18:41 6.5.6582.0 225,280 safehtml.dll
15-Nov-2002 18:41 6.5.6582.0 225,280 safehtml.dll
18-May-2004 16:28 8,505 title.asp
18-May-2004 16:28 4,242 title.asp
18-May-2004 16:29 7,958 title.asp
Verifying Update Installation
ā¢ Microsoft Baseline Security Analyzer
To verify that a security update is installed on an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. This tool allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.
ā¢ Registry Key Verification
You may also be able to verify the files that this security update has installed by reviewing the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\842436a
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\842436b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\842436c
Note These registry keys may not be created correctly when an administrator or an OEM integrates or slipstreams the 842436 security update into the Windows installation source files.
Top of section
Top of section
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
ā¢ Amit Klein of Sanctum Inc. for reporting the Cross-site Scripting and Spoofing Vulnerability (CAN-2004-0203).
Obtaining Other Security Updates:
Updates for other security issues are available from the following locations:
ā¢ Security updates are available from the Microsoft Download Center: You can find them most easily by doing a keyword search for "security_patch".
ā¢ Updates for consumer platforms are available from the Windows Update Web site.
Support:
ā¢ Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
ā¢ International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.
Security Resources:
ā¢ The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
ā¢ Microsoft Software Update Services
ā¢ Microsoft Baseline Security Analyzer (MBSA)
ā¢ Windows Update
ā¢ Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.
ā¢ Office Update
Software Update Services:
By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.
For more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.
Systems Management Server:
Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and to perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, see the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.
Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, see the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
ā¢ V1.0 (August 10, 2004): Bulletin published
Related
