Script Execution Vulnerability in Microsoft Exchange Outlook Web Access

Reported June 08, 2001, by Microsoft.



  • Microsoft Exchange 2000 Server using Outlook Web Access

  • Microsoft Exchange 5.5 Server using Outlook Web Access

  • Microsoft Internet Explorer


A flaw exists in the interaction between Microsoft Exchange Server Outlook Web Access (OWA) and Microsoft Internet Explorer (IE) with message attachments. If an attachment contains HTML code that includes script, the script will execute when the user opens the attachment, regardless of the attachment type. Because OWA requires that the user enable scripting in the zone where the OWA server is located, this script can take action against the user’s Exchange mailbox as if the script were the user, including modifying and manipulating messages.




The vendor, Microsoft, has acknowledged this vulnerability and recommends that users immediately apply the patch mentioned in Security Bulletin MS01-030. 


Discovered by Joao Gouveia.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.