A network administrator apparently has stumbled upon a serious security hole in Outlook Web Access, a component...
of Exchange Server 2003 that lets users access their e-mail accounts online.
The flaw randomly gives users access to mailboxes that aren't their own. Users have the ability to interact with other people's mailboxes and can send, receive and read messages, as well as open and manipulate Outlook folders.
Microsoft has given the administrator -- who has requested anonymity for himself and his company -- a patch, and the company says the vulnerability exists only in certain configurations.
The admin, however, said Microsoft is wrong on this count. He added that the patch has been applied and that service has been returned to the few users who had problems on his system, without incident.
The admin said that, three months ago, his team had upgraded two front-end and back-end servers to Windows Server 2003 and Exchange Server 2003. Shortly after the upgrade, users randomly began reporting that they were being logged on to other people's mailboxes with full privileges.
Microsoft was informed immediately, the administrator said.
"Microsoft did reproduce the problem and had mentioned that this had been a problem in their beta testing before Exchange had been released, and the problem was thought to be corrected but apparently not," the admin said in an e-mail exchange with SearchSecurity.com. "Microsoft [had] us make all kinds of changes, and we thought the problem was gone, but it kept happening. We had to shut down OWA and could do no more testing because of the security risk."
Microsoft released a statement late last week about this situation, and the company said the security issue occurs only if Kerberos authentication is disabled. Microsoft said such a configuration is rare because Kerberos is enabled by default in Exchange Server 2003. Kerberos is a secure method for authenticating a request for a network service.
The administrator, however, said Kerberos was enabled during and after the upgrade.
"We did not turn off Kerberos or change any default configuration, so I am not sure what they are referring to," he said. "I believe there are other companies experiencing this issue -- Microsoft [support] led us to believe this."
This could be the first major security flaw in Exchange Server 2003, which was made available to certain customers in August and to the general public Oct. 21. Previous versions have recently been the center of security issues. In October, Microsoft released the first of its new monthly patch releases, and the release included a patch for a critical buffer overflow vulnerability in Exchange Server 2000. That flaw could enable remote execution of code. On the same day, a less serious denial-of-service flaw was found in Exchange Server 5.5.
Earlier this month, a Harvard University student published a white paper that detailed a flaw in Exchange Server 5.5 and Exchange Server 2000. The flaw could be used by spammers to send bulk e-mail messages anonymously. The researcher said that, even if all security features were updated on the servers, spammers could use it to send spam through a guest account.
FEEDBACK: Get out your crystal ball: Will Microsoft include the vulnerability in its December patch release?
Send your feedback to the SearchSecurity.com news team.