ZDNet UK


Skip to Main Content

  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Security threats Toolkit

Microsoft investigates Exchange security hole

Matthew Broersma ZDNet.co.uk

Published: 24 Nov 2003 15:05 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Microsoft is investigating what may be a serious flaw in Exchange Server 2003, only a month after the software's launch as part of Office System 2003.

The bug appears to affect an Exchange component called Outlook Web Access (OWA), which allows users to access their inboxes and folders via a Web browser.

Users logging into their Web-based mailbox sometimes find themselves accessing another user's account, with full privileges, according to Matthew Johnson, a network administrator with a US company that sells tools for investors and fund managers. Johnson reported the bug earlier this month on the NTBugtraq security mailing list.

"This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue," Johnson wrote.

Microsoft has said it is investigating the issue, and said the flaw appears to occur only when Kerberos authentication is disabled. Kerberos is the method, developed at the Massachusetts Institute of Technology, that Microsoft uses for authenticating requests for services. For the moment, the company is advising users to keep Kerberos authentication enabled -- as it is by default -- and may issue a patch or more information when its investigation is complete.

However, Johnson told ZDNet UK that Microsoft's initial analysis doesn't seem to be correct, since his company did not alter Exchange Server's default configuration, and thus should have been using Kerberos. He initially reported the bug to Microsoft two months ago, and said Microsoft is in the process of testing patches.

Microsoft did not respond to requests for additional comment.

Earlier editions of OWA have suffered their share of security problems. In 2001, Microsoft released a patch for the OWA feature in Exchange 5.5 and 2000, but the patch itself notoriously caused many servers to overload and hang, and was pulled offline; a second patch also contained a catastrophic bug.

Last week Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper concluding that Exchange 5.5 and 2000 can be used by spammers to send anonymous email.

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
53 out of 108 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Security threats


Company/Topic Alerts

Create a new alert from the list below:






Related Jobs

Server Administrator, Exchange, MCSE, Wintel, S. Yorkshire

35K+ CITRIX/EXCHANGE SERVER SUPPORT-LONDON (EXCHANGE/CITRIX)

Technical Analyst, Chichester, 24-25k

Sentry Posts Blog

The Technological Singularity

Are we approaching a point when machines may wake up and become self or seemingly self aware? Vernor Vinge in 1993 seemed to think so. He refered to this event as the "technological... More

2 comments

Mobile Operating Systems: MOPS At a Gl...

Mobile Operating Systems: At a Glance Author: Eric Everson, Founder MyMobiSafe Since posting my blog exposing the security Google G1 security issue, I have received a few emails... More

Post a comment

Met Police catch test cheats

I saw the funny side of this press release, I can just imagine the two people sitting in the car giving the answers to the questions. Why they had wires running from under the bonnet... More

Post a comment

Featured Oracle Resources

Human Resources Management eBook

Supply Chain Management eBook

Design and Innovation Report

Economist Intelligence Unit Report - Technology and growth at mid-sized companies

See All White Papers