For its regular monthly security announcement in August
2004, Microsoft released only a single Security Bulletin, MS04-026,
“Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow
Cross-Site Scripting and Spoofing Attacks.” This vulnerability, which
could allow a remote attacker to run arbitrary code on a compromised system,
has also been assigned the MITRE candidate ID CAN-2004-0203.


There hasn’t been any proof of concept published for this
vulnerability, and the threat itself wasn’t made public before the Security
Bulletin and patch were released by Microsoft.

This vulnerability itself is due to a weakness in the way
Outlook Web Access validates HTTP redirection query input, and the update
corrects this flaw. Microsoft reports it may also be possible for this
vulnerability to insert spoofed data in Web browser caches and intermediate
proxy server caches.

MBSA (Microsoft Baseline Security Analyzer) version 1.2 or
later will identify this vulnerability, and SMS (Systems Management Server) will
deploy this fix. MS04-026 replaces the patch provided in Microsoft Security
Bulletin MS03-047.


This vulnerability is found only in Exchange Server 5.5. Exchange
2000 Server and Exchange Server 2003 are not vulnerable.

Risk level – Moderate

Microsoft rates this as only a moderate threat because the
at-risk service isn’t used in all Exchange installations, and the threat hasn’t
been disclosed until now. However, it’s important to remember that the Microsoft
ratings are not simply a measure of how much damage the vulnerability can cause
if exploited. Any remote code execution threat is critical if your system is
vulnerable, so this threat poses significant risk to those organizations that
are running OWA on Exchange 5.5.

Mitigating factors

Using SSL connections would eliminate this threat because
the data will be encrypted and not cached on proxy servers. Also, if you block
anonymous access to OWA, only authorized users can take advantage of this

Fix – Apply patch

You will need to have Exchange 5.5 Service Pack 4 installed
before applying the provided patch.

If Outlook Web Access is not needed, then you can simply remove it, which will mitigate this threat. See Knowledge Base Article 290287
for detailed instructions.

Another workaround is to disable OWA via Exchange Administrator.
You need to do this for each Exchange site.

Final word

I have long felt that Microsoft should use a different
vulnerability rating system that explicitly shows all the separate factors
Microsoft uses to rate a threat. The overall rating we see today is simple but
really doesn’t convey much information. If you don’t have an affected component
installed, then your risk level is zero; but if you do have a vulnerable system,
then the threat level may easily be critical, while the same vulnerability gets
an overall rating of moderate.

Here is an example of individual vulnerability ratings based
on various considerations:

  • Exploit danger: CRITICAL
  • Proof of concept published: LOW (if not
  • Exploit seen: LOW (if not seen in wild)
  • Number of potentially affected systems: LOW
  • Risk if best practices followed: LOW
  • Overall risk: MODERATE

This is the type of system that I would recommend Microsoft
to adopt for rating its vulnerabilities.

Also, I think it’s important to
remind administrators, at least once every year, just how much confidence Microsoft places in these
patches and the associated Knowledge Base articles. I have no inside
information, but I can read the disclaimer that you will find at the bottom of
Security Bulletins:

“The information provided in the Microsoft Knowledge
Base is provided ‘as is’ without warranty of any kind. Microsoft disclaims all
warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall
Microsoft Corporation or its suppliers be liable for any damages whatsoever
including direct, indirect, incidental, consequential, loss of business profits
or special damages, even if Microsoft Corporation or its suppliers have been
advised of the possibility of such damages.”

Now, I’m certainly not a lawyer and have no ambitions in
that area, but I do know what “as is” means when you buy a used car. It’s
also important to note that Microsoft disclaims responsibility for “any
damages,” even if Microsoft knows that there is a possibility of such

In other words, always remember that you are on your own
when it comes to making sure these patches work right, and that installing them
won’t end up breaking something else on your network.

Also watch for …

  • A
    Minnesota teen, Jeffrey Lee Parson, has pled guilty to
    modifying and re-releasing the highly destructive Blaster worm. He was
    charged with the crime last year but denied responsibility until August
    2004. Parson could get up to three years as a guest of the U.S.
    federal penal system and could also be ordered to pay millions of dollars in
  • The
    “Mosquitos” game is available as a pirated download for some mobile phone
    models. You might want to avoid that particular stolen software since it
    causes your phone to dial some expensive numbers and upload text messages
    to them, and you’ll never know until the next bill arrives. This first
    cropped up in the Far East, and I can’t determine which models are at
    risk. So, for the time being, my advice is to just avoid all of the Mosquito
    software. There are reports on this issue from Symbian
    and The