Cross-site scripting (XSS) Vulnerability in OWA

  • Article

Last July 8th Microsoft released the security update MS08-039 for OWA, the following Exchange versions are affected:

 

Software

Maximum Security Impact

Aggregate Severity Rating

Bulletins Replaced by this Update

Microsoft Exchange Server 2003 Service Pack 2

Elevation of Privilege

Important

None (See Update FAQ for additional details)

Microsoft Exchange Server 2007

Elevation of Privilege

Important

MS07-026

Microsoft Exchange Server 2007 Service Pack 1

Elevation of Privilege

Important

None (See Update FAQ for additional details)

 

If you question is: can ISA Server 2006 help to mitigate this attack? The answer is that it potentially can since ISA Server 2006 can block cross site scripting by inspecting the HTTP requests and identifying commands and tags that are common in server responses but are not common in client requests. For more information about this review on ISA Server TechNet Library the problem and the solution.

 

Note: While this can help to prevent this vulnerability, it is still STRONGLY RECOMMEND applying this update in the Exchange Servers since the attack could be exploited from an internal resource bypassing ISA.