OWA is a service of Exchange 5.5 and 2000 Server that allows users to use a Web browser to access their Exchange mailbox. However, a flaw exists in the interaction between OWA and IE for message attachments. If an attachment contains HTML code including script, the script will be executed when the attachment is opened, regardless of the attachment type. Because OWA requires that scripting be enabled in the zone where the OWA server is located, this script could take action against the user's Exchange mailbox. An attacker could use this flaw to construct an attachment containing malicious script code. The attacker could then send the attachment in a message to the user.
What's new in version 2655.77
ReleaseDecember 5, 2008
Date AddedDecember 12, 2001
Operating SystemsWindows, Windows NT, Windows 2000
Additional RequirementsWindows NT/2000, Microsoft Exchange 5.5 SP4