The Inquirer-Home

Microsoft Exchange opens the door for hackers

Not that we're surprised
Wed Sep 15 2010, 13:47

FIRMS RUNNING Microsoft's Exchange mail server could find that users of its Outlook Web Access (OWA) software have their sessions hijacked.

A security vulnerability in Exchange Server 2003 SP2 and Exchange Server 2007 SP1 and SP2 means that attackers can take control of a user's OWA session and issue commands up to the level permitted by security controls without the user knowing. OWA is a rich 'web mail' client that is offered by Exchange Server and has the look and feel of Microsoft's standalone Outlook software.

Microsoft's proposed solution to the problem might raise the ire of it customers. In the security advisory the Vole says, "Microsoft recommends that customers running affected editions of Microsoft Exchange Server upgrade to a non-affected version of Microsoft Exchange Server to address the vulnerability." Of course system administrators have nothing better to do than upgrade the version of Exchange on all of their mail servers and shift thousands of mailboxes to a new version of Exchange.

Microsoft does give a helping hand, though, by providing a handy list of the Exchange versions that are not affected, and those include Exchange 2000 SP3, 2007 SP3, 2010 and 2010 SP1.

The Vole also recommends segmenting user rights in OWA to limit the potential for damage by hackers. If you feel like implementing a particularly useless 'fix', then Microsoft also offers a way of hiding the display of the OWA options panel, which should flummox only the most novice of script kiddies.

Now all that's left is for Microsoft email system administrators to pick which day to come in at 3AM in order to overcome yet another security hole in Exchange. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?