Cross-site scripting (XSS) Vulnerability in OWA
Last July 8th Microsoft released the security update MS08-039 for OWA, the following Exchange versions are affected:
Software |
Maximum Security Impact |
Aggregate Severity Rating |
Bulletins Replaced by this Update |
---|---|---|---|
Elevation of Privilege |
Important |
None (See Update FAQ for additional details) |
|
Elevation of Privilege |
Important |
||
Elevation of Privilege |
Important |
None (See Update FAQ for additional details) |
If you question is: can ISA Server 2006 help to mitigate this attack? The answer is that it potentially can since ISA Server 2006 can block cross site scripting by inspecting the HTTP requests and identifying commands and tags that are common in server responses but are not common in client requests. For more information about this review on ISA Server TechNet Library the problem and the solution.
Note: While this can help to prevent this vulnerability, it is still STRONGLY RECOMMEND applying this update in the Exchange Servers since the attack could be exploited from an internal resource bypassing ISA.