Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13141
HistoryJun 13, 2006 - 12:00 a.m.

Microsoft Security Bulletin MS06-029 Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)

2006-06-1300:00:00
vulners.com
27

Microsoft Security Bulletin MS06-029
Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)
Published: June 13, 2006

Version: 1.0
Summary

Who should read this document: Customers who use Microsoft Exchange Server running Microsoft Outlook Web Access

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should consider applying the security update.

Security Update Replacement: None

Caveats: Microsoft Knowledge Base Article 912442 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 912442.

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Exchange 2000 Server Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup — Download the update (KB912442)

Microsoft Exchange Server 2003 Service Pack 1 — Download the update (KB912442)

Microsoft Exchange Server 2003 Service Pack 2 — Download the update (KB912442)

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

For more information about the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup see Microsoft Knowledge Base Article 870540.
Top of sectionTop of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly discovered, privately reported vulnerability. The vulnerability is documented in the “Vulnerability Details” section of this bulletin. An attacker who successfully exploited the vulnerability could perform script injection attacks.

We recommend that customers consider applying the security update.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers Impact of Vulnerability Microsoft Exchange 2000 Server Microsoft Exchange Server 2003 Service Pack 1 and Exchange Server 2003 Service Pack 2

Microsoft Exchange Server when running Outlook Web Access Vulnerability - CVE-2006-1193

Remote Code Execution

Important

Important

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

What are the known issues that customers may experience when they install this security update?
Microsoft Knowledge Base Article 912442 documents the currently known issues that customers may experience when they install this security update on Exchange Server 2003 Service Pack 1 and Exchange Server 2003 Service Pack 2. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 912442.
Microsoft Knowledge Base Article 912918 : Users cannot send e-mail messages from a mobile device or from a shared mailbox in Exchange 2000 Server and in Exchange Server 2003.

Does this update contain any security-related changes to functionality?
Yes. Besides the changes that are listed in the "Vulnerability Details" section of this bulletin, this update includes the following changes in security functionality:

Prior to the Exchange 2003 versions listed above, granting the Full Mailbox Access permission implicitly granted permission to send as the mailbox owner. This meant that another account with Full Mailbox Access could send messages that appeared as if they were sent by the mailbox owner. After applying the security update on Exchange Server 2003 Service Pack 1 or Exchange Server 2003 Service Pack 2, for a user to impersonate a mailbox owner, you will need to grant Send As permissions to the user. For more information, see Microsoft Knowledge Base Article 912918.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?

The following table provides the MBSA detection summary for this security update.
Software MBSA 1.2.1 MBSA 2.0

Microsoft Exchange 2000 Server

Yes

Yes

Microsoft Exchange Server 2003 Service Pack 1

Yes

Yes

Microsoft Exchange Server 2003 Service Pack 2

Yes

Yes

For more information about MBSA, visit the MBSA Web site. For more information about the programs that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660

Can I use Systems Management Server (SMS) to determine whether this update is required?

The following table provides the SMS detection summary for this security update.
Software SMS 2.0 SMS 2003

Microsoft Exchange 2000 Server

Yes

Yes

Microsoft Exchange Server 2003 Service Pack 1

Yes

Yes

Microsoft Exchange Server 2003 Service Pack 2

Yes

Yes

SMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to software that MBSA does not detect.

For SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For more information about SMS, visit the SMS Web site.
Top of sectionTop of section

Vulnerability Details

Microsoft Exchange Server when running Outlook Web Access Vulnerability - CVE- CVE-2006-1193

A script injection vulnerability exists in Exchange Server running Outlook Web Access (OWA). An attacker could exploit the vulnerability by constructing an e-mail message with a specially crafted script. If this specially crafted script is run, it would execute in the security context of the user on the client. Attempts to exploit this vulnerability require user interaction.

Mitigations for Microsoft Exchange Server When Running Outlook Web Access Vulnerability - CVE- CVE-2006-1193:

To be affected, a user would have to use Outlook Web Access to read a specially crafted e-mail message.
Top of sectionTop of section

Workarounds for Microsoft Exchange Server When Running Outlook Web Access Vulnerability - CVE- CVE-2006-1193:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.

Disable Outlook Web Access (OWA) on a computer running Exchange Server
Disabling Outlook Web Access helps protect the affected system from attempts to exploit this vulnerability. To disable Outlook Web Access, follow these steps:

Click Start, point to All Programs, point to Microsoft Exchange, and then click System Manager.

Expand Servers, expand Server, expand Protocols, and then expand HTTP.

Right-click Exchange Virtual Server, and then click Stop.

Note A red cross will appear over the Exchange Virtual Server icon, indicating it has been stopped. From now on, users will see a The Page Cannot Be Displayed error message when they try to access their e-mail through OWA.

Impact of Workaround: This workaround prevents users from accessing their mailboxes through Outlook Web Access (OWA), Outlook Mobile Access (OMA) and Exchange Server ActiveSync.
Top of sectionTop of section

FAQ for Microsoft Exchange Server When Running Outlook Web Access Vulnerability - CVE-2006-1193:

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Daniel Fabian of SEC Consult for reporting the Microsoft Exchange Server when running Outlook Web Access Vulnerability - CVE-2006-1193

Revisions:

V1.0 (June 13, 2006): Bulletin published.

Related for SECURITYVULNS:DOC:13141