Reported June 08, 2001, by Microsoft.
Microsoft Exchange 2000 Server using Outlook Web Access
Microsoft Exchange 5.5 Server using Outlook Web Access
Microsoft Internet Explorer
A flaw exists in the interaction between Microsoft Exchange Server Outlook Web Access (OWA) and Microsoft Internet Explorer (IE) with message attachments. If an attachment contains HTML code that includes script, the script will execute when the user opens the attachment, regardless of the attachment type. Because OWA requires that the user enable scripting in the zone where the OWA server is located, this script can take action against the user’s Exchange mailbox as if the script were the user, including modifying and manipulating messages.
Discovered by Joao Gouveia.