[Microsoft Alert] Microsoft Security Bulletin MS06-029

Vulnerability in Microsoft Exchange Server Running Outlook Web Access Could Allow Script Injection (912442)

Issued: June 13, 2006<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

Version: 1.0

Summary

Who should read this document: Customers who use Microsoft Exchange Server running Microsoft Outlook Web Access

Impact of Vulnerability: Remote Code Execution

Maximum Severity Rating: Important

Recommendation: Customers should consider applying the security update.

Security Update Replacement: None

Vulnerability Details:

A script injection vulnerability exists in Exchange Server running Outlook Web Access (OWA). An attacker could exploit the vulnerability by constructing an e-mail message with a specially crafted script. If this specially crafted script is run, it would execute in the security context of the user on the client. Attempts to exploit this vulnerability require user interaction.

Affected Software:

Microsoft Exchange 2000 Server Pack 3 with the August 2004 Exchange 2000 Server Post-Service Pack 3 Update Rollup

Microsoft Exchange Server 2003 Service Pack 1

Microsoft Exchange Server 2003 Service Pack 2

References:http://www.microsoft.com/security/bulletins/current.mspx (Microsoft Security Updates)<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />