For its regular monthly security announcement in August 2004, Microsoft released only a single Security Bulletin, MS04-026, “Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks.” This vulnerability, which could allow a remote attacker to run arbitrary code on a compromised system, has also been assigned the MITRE candidate ID CAN-2004-0203.
There hasn’t been any proof of concept published for this vulnerability, and the threat itself wasn’t made public before the Security Bulletin and patch were released by Microsoft.
This vulnerability itself is due to a weakness in the way Outlook Web Access validates HTTP redirection query input, and the update corrects this flaw. Microsoft reports it may also be possible for this vulnerability to insert spoofed data in Web browser caches and intermediate proxy server caches.
MBSA (Microsoft Baseline Security Analyzer) version 1.2 or later will identify this vulnerability, and SMS (Systems Management Server) will deploy this fix. MS04-026 replaces the patch provided in Microsoft Security Bulletin MS03-047.
This vulnerability is found only in Exchange Server 5.5. Exchange 2000 Server and Exchange Server 2003 are not vulnerable.
Risk level – Moderate
Microsoft rates this as only a moderate threat because the at-risk service isn’t used in all Exchange installations, and the threat hasn’t been disclosed until now. However, it’s important to remember that the Microsoft ratings are not simply a measure of how much damage the vulnerability can cause if exploited. Any remote code execution threat is critical if your system is vulnerable, so this threat poses significant risk to those organizations that are running OWA on Exchange 5.5.
Using SSL connections would eliminate this threat because the data will be encrypted and not cached on proxy servers. Also, if you block anonymous access to OWA, only authorized users can take advantage of this exploit.
Fix – Apply patch
You will need to have Exchange 5.5 Service Pack 4 installed before applying the provided patch.
If Outlook Web Access is not needed, then you can simply remove it, which will mitigate this threat. See Knowledge Base Article 290287 for detailed instructions.
Another workaround is to disable OWA via Exchange Administrator. You need to do this for each Exchange site.
I have long felt that Microsoft should use a different vulnerability rating system that explicitly shows all the separate factors Microsoft uses to rate a threat. The overall rating we see today is simple but really doesn’t convey much information. If you don’t have an affected component installed, then your risk level is zero; but if you do have a vulnerable system, then the threat level may easily be critical, while the same vulnerability gets an overall rating of moderate.
Here is an example of individual vulnerability ratings based on various considerations:
* Exploit danger: CRITICAL
* Proof of concept published: LOW (if not published)
* Exploit seen: LOW (if not seen in wild)
* Number of potentially affected systems: LOW
* Risk if best practices followed: LOW
* Overall risk: MODERATE
This is the type of system that I would recommend Microsoft to adopt for rating its vulnerabilities.
Also, I think it’s important to remind administrators, at least once every year, just how much confidence Microsoft places in these patches and the associated Knowledge Base articles. I have no inside information, but I can read the disclaimer that you will find at the bottom of Security Bulletins:
“The information provided in the Microsoft Knowledge Base is provided ‘as is’ without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages.”
Now, I’m certainly not a lawyer and have no ambitions in that area, but I do know what “as is” means when you buy a used car. It’s also important to note that Microsoft disclaims responsibility for “any damages,” even if Microsoft knows that there is a possibility of such damage.
In other words, always remember that you are on your own when it comes to making sure these patches work right, and that installing them won’t end up breaking something else on your network.