"FIRMS RUNNING Microsoft's Exchange mail server could find that users of its Outlook Web Access (OWA) software have their sessions hijacked.
A security vulnerability in Exchange Server 2003 SP2 and Exchange Server 2007 SP1 and SP2 means that attackers can take control of a user's OWA session and issue commands up to the level permitted by security controls without the user knowing. OWA is a rich 'web mail' client that is offered by Exchange Server and has the look and feel of Microsoft's standalone Outlook software.
Microsoft's proposed solution to the problem might raise the ire of it customers. In the security advisory the Vole says, "Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability." Of course system administrators have nothing better to do than upgrade the version of Exchange on all of their mail servers and shift thousands of mailboxes to a new version of Exchange.
Microsoft does give a helping hand, though, by providing a handy list of the Exchange versions that are not affected, and those include Exchange 2000 SP3, 2007 SP3, 2010 and 2010 SP1.
The Vole also recommends segmenting user rights in OWA to limit the potential for damage by hackers. If you feel like implementing a particularly useless 'fix', then Microsoft also offers a way of hiding the display of the OWA options panel, which should flummox only the most novice of script kiddies.
Now all that's left is for Microsoft email system administrators to pick which day to come in at 3AM in order to overcome yet another security hole in Exchange."
By Lawrence Latif on the Inquirer
Wed Sep 15 2010