The Outlook Web Access feature of Exchange is activated by default when Exchange 2000 Server is installed, Microsoft said in a security bulletin posted to the company's TechNet Web site. The company recommended that administrators of affected systems should immediately install a patch to fix the problem.
Outlook Web Access allows users to access their Exchange mailbox via the Web, rather than with Outlook client software from their own PC. A flaw exists in the interaction between the Web access feature and Web browser Internet Explorer, Microsoft said. Using malicious code in an e-mail attachment; a hacker could gain access to a user's mailbox, including the ability to delete messages and folders, Microsoft said.
The glitch causes script code in e-mail attachments to execute on the server that runs Outlook Web Access, instead of just in the user's Web browser. After applying the patch the Web-based mail system will prompt the user to download an attachment before opening it. The user can save the document locally, or cancel the download.
Not many companies will be scrambling to install the patch as Exchange 2000 is not widely used yet, said Eric Oukes, an IT consultant with Netherlands-based M@ke IT ICT Consultancy Partners. Exchange 2000 Server was launched on 10 October last year.
"Many of my clients still use Exchange Server 5.5, the version preceding Exchange Server 2000," he said, adding that he services mainly small and medium sized businesses. "Few companies run Windows 2000 Server with Active Directory, which is required to run Exchange 2000 Server. Also many companies wait for initial bugs to be fixed before installing new software."
Oukes said some large enterprises are doing test runs with Exchange Server 2000, but that he doesn't know of any large-scale implementations.
Microsoft said it would also include the fix for this security issue in Exchange 2000 Service Pack 1.
The patch is available for free download from Microsoft's TechNet at: http://www.microsoft.com/technet/security/bulletin/MS01-030.asp