Cross-site scripting (XSS) Vulnerability in OWA


Last July 8th Microsoft released the security update MS08-039 for OWA, the following Exchange versions are affected:


 

























Software


Maximum Security Impact


Aggregate Severity Rating


Bulletins Replaced by this Update


Microsoft Exchange Server 2003 Service Pack 2


Elevation of Privilege


Important


None (See Update FAQ for additional details)


Microsoft Exchange Server 2007


Elevation of Privilege


Important


MS07-026


Microsoft Exchange Server 2007 Service Pack 1


Elevation of Privilege


Important


None (See Update FAQ for additional details)


 


If you question is: can ISA Server 2006 help to mitigate this attack? The answer is that it potentially can since ISA Server 2006 can block cross site scripting by inspecting the HTTP requests and identifying commands and tags that are common in server responses but are not common in client requests. For more information about this review on ISA Server TechNet Library the problem and the solution.


 



Note:  While this can help to prevent this vulnerability, it is still STRONGLY RECOMMEND applying this update in the Exchange Servers since the attack could be exploited from an internal resource bypassing ISA.


 


 

Comments (0)

Skip to main content