Outlook Web Access Script Execution Vulnerability in Microsoft Exchange

Reported December 6, 2001, by Microsoft.



  • Microsoft Exchange Server 5.5 using Outlook Web Access


A vulnerability exists in the Microsoft Exchange Server 5.5 Outlook Web Access (OWA) service that lets an attacker take any action on the user’s mailbox that the user can take, including deleting, moving and sending messages. The vulnerability results from a problem in the way that OWA handles inline script messages used in conjunction with Internet Explorer (IE). If the attacker uses OWA to open an HTML message containing a specially formed script, the script executes under the user’s security context.



The vendor, Microsoft, has released Security Bulletin MS01-057 to address this vulnerability and recommends that affected users apply the patch provided at this URL.


Discovered by Lex Arquette of WhiteHat Security.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.