Vulnerability In Exchange 5.5 : Dec 6
March 30, 2001 ______________________________________________________________________ [prev in list] [next in list] [prev in thread] [next in thread] Configure | About | News | Addalist | SponsoredbyKoreLogic Skip to main content Official Vulnerability in isolation is just one aspect of an Intel Security risk rating. The vulnerability poses some level of risk to customers. No FavoritesIntel Security discloses product vulnerabilities to all customers at the same time. https://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-194/Microsoft-Exchange-Server.html
Isn't this the same issue that you patched in MS01-030? Use of this information constitutes acceptance for use in an AS IS condition. All security bulletins must include the CVSS scores for each vulnerability as well as the associated CVSS vectors.
Use of the product presents no additional risk for customers. What version should I upgrade to? Does this vulnerability affect Outlook or Outlook Express? CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT.
The list below describes what each of these categories means in terms of potential customer impact: Vulnerable: A product contains the vulnerability. If you upgrade to IE 5.0, you will be able to install the patch successfully. Because the attack would require a user to use a specific mail client, a significant degree of social engineering would be required to successfully exploit this vulnerability. When OWA processes a user request to retrieve a mail message, it is possible to embed script in a particular way so that OWA does not filter it correctly causing the
Careers Contact Us Website Feedback Privacy Legal Notices Legal Contracts and Terms Site Map Twitter Facebook LinkedIn YouTube Google+ Slideshare © Intel Corporation [prev in list] [next in list] [prev in http://xforce.iss.net/xforce/xfdb/7663 No. If the maliciously crafted message were read in any mail client other than a browser through OWA, the attack would fail. The CVSS base score determines our initial response to a given incident.
In some configurations, the OWA Server will also be running Exchange. weblink SB = Security Bulletin (4-10) KB = KnowledgeBase Article (2-4) SS = Sustaining Statement (0-4) NN = Not Needed (0) CVSS = 0Low 0 < CVSS < 4Low 4 ≤ CVSS Log In or Register to post comments Please Log In or Register to post comments. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
Is it possible to craft an HTML mail message like this by accident? WHITEHAT SECURITIES, INC. How is it different from the regular OWA requirements? navigate here This could include manipulating messages or folders with complete control.
Microsoft Customer Support Microsoft Community Forums United States (English) Sign in Security TechCenter Home Security Updates Tools Learn Library Support We’re sorry. Finally, we have included remediation information for customers who have deployed the patch on systems that do not meet the IE version requirements. Not Vulnerable: A product does not contain the vulnerability or the presence of a vulnerable component cannot be exploited in any manner.
What is the version requirement discussed in this bulletin?
The attack would fail if read in any other mail client. Additional information about this patch Installation platforms: This patch can be installed on systems running the Exchange 5.5 SP4 OWA Service. In other configurations, the OWA Server connects to a different server running Exchange without OWA. The version requirement for this patch is ONLY for the server, not for the clients.
In addition, it contains version recommendations for dependent components that are applicable at the time of this writing. Microsoft Security Bulletin MS01-057 - Moderate Specially Formed Script in HTML Mail can Execute in Exchange 5.5 OWA Published: December 06, 2001 | Updated: October 29, 2003 Version: 2.2 Originally posted: No, the issue only occurs when using IE with OWA. his comment is here The vulnerability only affects OWA in Exchange 5.5.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Support: Microsoft Knowledge Base article Q313576 discusses this issue and will be available approximately 24 hours after the release of this bulletin. It would require very specific, detailed knowledge and such a message would have to be specifically constructed with malicious intent. Database administrator?
Does this vulnerability affect all browsers using OWA? The "Caveats" section has been updated to include version requirements for this patch. The fiscal program is centered on maintaining tight control over primary spending...https://books.google.com/books/about/Argentina_2002_Article_IV_Consultation_S.html?id=THlv-YI5_5wC&utm_source=gb-gplus-shareArgentina: 2002 Article IV Consultation--Staff Report; Staff Supplement; Public Information Notice on the Executive Board Discussion; and Statement by the A successful attack can only take action on the mailbox on the Exchange Server as the user.
Not exactly. Any use of this information is at the user's risk. There are NO warranties, implied or otherwise, with regard to this information or its use. I'm confused, do I have to upgrade IE on my OWA clients or my OWA server?
A malicious user is capable of sending a specially crafted email sent to a target user(s) containing an auto-executing Cross-Site Scripted payload. SEIL Series routers SEIL/X1 2.50 through 4.62, SEIL/X2 2.50 through 4.62, SEIL/B1 2.50 through 4.62, and SEIL/x86 Fuji 1.70 through 3.22 allow remote attackers to cause a denial of service (CPU My server doesn't meet this requirement, what should I do to install this patch? If you server does not meet the IE requirement for this patch, you should first upgrade your server and then apply the patch.
Essentially, OWA makes an Exchange server also function as a web site that lets authorized users read or send mail, manage their calendar, or perform other mail functions via the Internet. OWA is a feature in Exchange 5.5 and 2000 that allows users to access their email via a web browser instead of a mail client. Patch information is provided when available. Encrypt sensitive information using Intel's PGP public key.Please provide as much information as possible, including: Discoverer’s contact information : Name (either full name or nickname) Physical address (with state-level accuracy instead
Trav. 2008-10-20 2009-01-29 4.3 None Remote Medium Not required None Partial None Open redirect vulnerability in exchweb/bin/redir.asp in Microsoft Outlook Web Access (OWA) for Exchange Server 2003 SP2 (aka build 6.5.7638)