Microsoft has identified the specific configuration that opens a gaping security hole in Outlook Web Access, a component of Exchange Server 2003 that enables users to access their mailboxes online.
A network administrator who requested anonymity reported last week that users were gaining random access to mailboxes that were not their own via OWA. Microsoft was immediately informed and, late last week, produced two Knowledge Base articles that detail the problem and advise on remediation.
"At worst, this issue could result in access to mailboxes at random and only to an authenticated Exchange user in the same organization, on the same network," a Microsoft spokesman told SearchSecurity.com.
Microsoft said the vulnerability surfaces when Windows SharePoint Services 2.0 is installed on a computer running both Exchange Server 2003 and Windows Server 2003. Administrators should note that their systems are at risk only if they have deployed front-end Exchange 2003 servers and have installed SharePoint Services on Exchange 2003 back-end servers, Microsoft said.
"The deployment causes Kerberos authentication to be disabled in Internet Information Services (IIS) [Web servers] and can result in the incorrect handling of Outlook Web Access requests to an Exchange Server," the spokesman said.
Microsoft points out that only this specific configuration causes the problem to surface, and it does not affect users who have deployed a version of Exchange 2003 in conjunction with Windows Small Business Server 2003.
"It's important to note that not all Exchange 2003 customers using Windows SharePoint Services are affected by this. It is a very specific configuration," the spokesman said.
Windows Server 2003 ships with Kerberos enabled by default, and Microsoft recommends leaving it enabled in IIS. Kerberos is a secure method for authenticating a request for a network service.
Microsoft provided a patch to the administrator who reported the flaw, and services have been returned to administrator's users without incident.
It is unknown whether Microsoft will include a fix for this hole in its monthly patch release, which is due next week.
This could be the first major security flaw in Exchange Server 2003, which was made available to the general public Oct. 21. Previous versions have recently been the center of security issues. In October, Microsoft released the first of its new monthly patch releases, and the release included a patch for a critical buffer overflow vulnerability in Exchange Server 2000. That flaw could enable remote execution of code. On the same day, a less serious denial-of-service flaw was found in Exchange Server 5.5.
Earlier this month, a Harvard University student published a white paper that detailed a flaw in Exchange Server 5.5 and Exchange Server 2000. The flaw could be used by spammers to send bulk e-mail messages anonymously. The researcher said that, even if all security features were updated on the servers, spammers could use it to send spam through a guest account.