Microsoft Security Bulletin MS03-047

Technical Description:

Subsequent to the original release of this bulletin, it was discovered that certain languages were not covered by the original patch. This bulletin has been updated to provide information about a new patch, which is intended for customers having installed a language from the Language Packs for Outlook Web Access.

In addition, for this patch to function properly the Outlook Web Access (OWA) server on which the patch is installed must have Internet Explorer 5.01 or greater installed. If the patch is installed on a system with a version of IE less than 5.01, unexpected consequences may result. The "Caveats" section has been updated to include version requirements for this patch. It also contains version recommendations for dependent components that are applicable at the time of this writing. The deployment section has also been expanded to discuss in detail how to download and install this security patch.

A cross-site scripting (XSS) vulnerability results due to the way that Outlook Web Access (OWA) performs HTML encoding in the Compose New Message form.

An attacker could seek to exploit this vulnerability by having a user run script on the attacker's behalf. The script would execute in the security context of the user. If the script executes in the security context of the user, the attacker's code could then execute by using the security settings of the OWA Web site (or of a Web site that is hosted on the same server as the OWA Web site) and could enable the attacker to access any data belonging to the site where the user has access.

To exploit this vulnerability through OWA, an attacker would have to send an e-mail message that has a specially-formed link to the user. The user would then have to click the link. To exploit this vulnerability in another way, an attacker would have to know the name of the user's Exchange server and then entice the user to open a specially-formed link from another source while the user is logged on to OWA.

Note: Customers who have customized any of the ASP pages in the File Information section in this document should backup those files before applying this patch as they will be overwritten when the patch is applied. Any customizations would then need to be reapplied to the new ASP pages. Please refer to the Microsoft Support Policy for the Customization of Outlook Web Access available at http://support.microsoft.com/default.aspx?scid=kb;en-us;327178 

Mitigating factors: 

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0712

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases - in such situations this is identified below.

For additional information about how to help make your Exchange environment more secure, visit the Security Resources for Exchange 5.5 Web site.

Microsoft has issued a new patch for additional Outlook Web Access languages. Why?
Subsequent to the original release of this bulletin, it was discovered that certain languages were not covered by the original patch. This bulletin has been updated to provide information about a new patch, which is intended for customers having installed a language from the Language Packs for Outlook Web Access.

I have already installed the original patch. Do I need to install the new patch?
The original patch is still effective in removing the security vulnerability if your Outlook Web Access pages are displayed in German, English, French, or Japanese.
The new patch adds support for additional languages available through the Outlook Web Access language pack and does not alter the original patch for the above mentioned languages. If you have added a language from the Language Packs for Outlook Web Access then you do need to apply this new patch.

What is the scope of this vulnerability?
This is a cross-site scripting vulnerability. This vulnerability could enable an attacker to cause arbitrary code to run during another user's Web session. The code could take any action on the user's computer that the Web site is authorized to take; this could include monitoring the Web session and forwarding information to a third party, running other code on the user's system and reading or writing cookies. The code could be written to be persistent, so that if the user returned to the Web site again, the code would run again.
The vulnerability cannot be "injected" into a Web session; it can only be exploited if the user clicks a hyperlink that the attacker provides.
To exploit this vulnerability in another way, other then sending the specially formed link in email to a user, an attacker would have to know the name of a user's Exchange server and then entice the user to open a specially-formed link from some other source while the user is logged on to OWA.

What is Outlook Web Access?
Microsoft Outlook Web Access (OWA) is a service of Exchange Server. By using OWA, users can use a Web browser to access their Exchange mailbox. By using OWA, a server that is running Exchange Server can also function as a Web site that lets authorized users read or send mail, manage their calendar, or perform other mail functions over the Internet.

What is cross-site scripting?
Cross-site scripting (XSS) is a security vulnerability that could enable an attacker to "inject" code into a user's session with a Web site. Unlike most security vulnerabilities, XSS does not apply to any single vendor's products - instead, it can affect any software that generates HTML and that does not follow defensive programming practices.

How does XSS work?
Web pages contain text and HTML markup, which are generated by the server and are interpreted by the client. Servers that generate static pages have full control over the way that the client interprets the pages that the server sends. However, servers that generate dynamic pages do not have control over the way that the client interprets their output. If untrusted content can be introduced into a dynamic page, neither the server nor the client has sufficient information to recognize that this has occurred and to take protective actions.
More information about how cross-site scripting works and what can be done to mitigate such attacks can be found at Information about Cross-Site Scripting Security Vulnerability.

What causes the vulnerability?
The vulnerability results because the Active Server Page (ASP) that Exchange Server 5.5 Outlook Web Access uses when it composes new messages replays the requested URL in HTML without the correct encoding.

What is wrong with Outlook Web Access?
When a user creates a new e-mail message, OWA does not correctly encode the URL for display in HTML. As a result, an attacker could embed a link to a script on a separate Web site and could cause the link to be returned to the Web browser in such a way that the browser thinks that it comes from the OWA Web site.

What could this vulnerability enable an attacker to do?
The vulnerability could enable an attacker who hosts a malicious Web site, or who can entice a user to click a specially-formed link, to carry out a cross-site scripting attack against the user's OWA Web site. By doing so, an attacker could run script in the user's browser and could use the security settings of the OWA Web site or any other Web site that is hosted on the same system and to could access cookies and other data that belong to the Web site.

How could an attacker exploit this vulnerability?
An attacker who hosts a malicious Web site could seek to exploit this vulnerability by sending a specially-crafted e-mail message that has an embedded script or link that, when accessed, would send out a Web server query that has a script as part of one of the arguments. The user would have to click the link in the e-mail message while it appears in OWA or while it appears on an external Web site.

Are all versions of OWA are vulnerable?
No. The vulnerability affects only Exchange Server 5.5 Outlook Web Access.

On which Exchange servers should I install the patch?
This patch is intended only for servers that are running Exchange Server 5.5 Outlook Web Access. You do not have to install this patch on servers that are not running Exchange Server 5.5 Outlook Web Access.

I have customized my OWA site, what do I do?
Customers having customized any of the ASP pages in the File Information section in this document should backup those files before applying this patch as they will be overwritten when the patch is applied. Any customizations would then need to be reapplied to the new ASP pages. Please refer to the Microsoft Support Policy for the Customization of Outlook Web Access available at http://support.microsoft.com/default.aspx?scid=kb;en-us;327178 

How does the patch eliminate the vulnerability?
The patch eliminates the vulnerability by ensuring that OWA script arguments are encoded so that they cannot be unintentionally executed.

For information about the specific security patch for your platform, click the appropriate link:

Prerequisites:

This security patch requires Outlook Web Access on Exchange Server 5.5 Service Pack 4.

Installation Information: 

For additional information about the command options that you can use to apply this update, click the article number below to view the article in the Microsoft Knowledge Base:

257946 XGEN: GUI Hotfix Utility Switches /x /m /s /z

Deployment Information 

Two packages for each server language have been combined into one self-extracting cabinet with the following name:

•	Exchange5.5-KB828489-v2-x86-<serverlang>.EXE

where <serverlang> is the language of your installed Exchange Server:

•	DEU = German
•	ENU = English
•	FRA = French
•	JPN = Japanese

When you run the package it will extract the two packages to a folder that youhave chosen with the following names:

•	Exchange5.5-KB828489-v2a-x86-<serverlang>.EXE
•	Exchange5.5-KB828489-v2b-x86-INTL.EXE

How to install: 

If you installed the original security patch for MS03-047 (Exchange5.5-KB828489-x86-<serverlang>, then you must uninstall it before installing the updated security patch. Refer to the section "Removal Information" below for instructions on how to do this.

1.

You must install the "v2a" patch (Exchange5.5-KB828489-v2a-x86-<serverlang>.EXE) on all servers where you want to apply this security patch. This package will update the following three things: • Updates the Exchange Server's CDO.DLL • Updates the OWA language that matches the language of the installed Exchange Server • Update any of the following OWA languages if they are installed: • Chinese (Simplified) • Chinese (Traditional) • English • French • German • Italian • Japanese • Korean • Polish • Russian • Spanish

2.

Once the installation of "v2a" patch is complete you will only need to install "v2b" patch (Exchange5.5-KB828489-v2b-x86-INTL.EXE) if your server has one or more of the following OWA languages installed: • Brazilian • Czech • Danish • Dutch • Finnish • Greek • Hungarian • Norwegian • Portuguese • Swedish • Turkish

Note:

•	Do not uninstall the "v2a" patch even if you only use languages within "v2b" as this could break some functionality.
•	Only the language packs that are installed will be updated. This package does not install languages that are not already installed.
•	If you installed the original security patch, the "v2a" patch will require you to first uninstall that patch. This is being done so that if you later have to uninstall the "v2a" patch it will put the server back to a known and supported state. If you need to uninstall both "v2a" and "v2b", then remove them in the reverse order that they were installed.
•	Patch "v2b" checks if "v2a" is already installed. If "v2a" is not installed it will block install and pop up a message saying that you must install the "v2a" patch first.
•	You may get a blank message body when opening a message in OWA after the patch is installed if you have your Windows directory on the OWA Server set to read only permissions. To solve this problem, please reference the following Knowledge Base Article: http://support.microsoft.com/default.aspx?scid=KB;EN-US;314532

Restart Requirement:

No. However, the security patch will restart Microsoft Internet Information Services (IIS), the Exchange Store, and the Exchange System Attendant Services. For this reason, install the patch when no users are logged on through OWA.

Removal Information:

To remove this update, use the Add or Remove Programs tool in Control Panel or issue the following command in a console window:

%EXCHSRVR%\828489\UNINSTALL\UNINST.EXE

In Add / Remove Programs the original package is named Microsoft Update 828489 for Exchange 5.5.

The updated packages are named Hotfix for Exchange 5.5 v2a (KB828489a) and Hotfix for Exchange 5.5 v2b (KB828489b) respectively.

File Information:

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Date	Time	Version	Size	File Name	Folder
09/16/2003	13:03	5.5.2657.67	802,576	cdo.dll	%WIN%\system32
09/16/2003	11:50	5.5.2657.67	536,848	CDOHTML.DLL	%EXSRVROOT%\bin
07/19/2003	12:45	6.5.6582.0	57,344	htmlsnif.dll	%EXSRVROOT%\bin
07/19/2003	12:45	6.5.6582.0	225,280	safehtml.dll	%EXSRVROOT%\bin
07/19/2003	01:02	NA	5,118	global.asa	%EXSRVROOT%\WEBDATA
08/12/2003	12:15	NA	1,180	encode.inc	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%
09/16/2003	11:49	NA	6,835	root.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%
09/16/2003	11:49	NA	2,473	read.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\ATTACH
09/16/2003	11:49	NA	2,424	events.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\CALENDAR
09/16/2003	11:49	NA	5,783	main_fr.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\CALENDAR
09/16/2003	11:49	NA	4,336	fumsg.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FINDUSER
09/16/2003	11:49	NA	12,928	amunres.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS
09/16/2003	11:49	NA	3,458	openitem.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS
09/16/2003	11:49	NA	3,174	pickform.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS
09/16/2003	11:49	NA	13,271	contdet.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\CONTACT
09/16/2003	11:50	NA	7,952	frmroot.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\CONTACT
09/16/2003	11:50	NA	5,388	postatt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\CONTACT
09/16/2003	11:49	NA	11,230	postMsg.asp	postMsg.asp %EXSRVROOT %\WEBDATA\%WEBDATALANG %\FORMS\IPM\CONTACT
09/16/2003	11:50	NA	5,189	postroot.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\CONTACT
09/16/2003	11:49	NA	7,896	posttitl.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\CONTACT
09/16/2003	11:49	NA	5,354	cmpatt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\NOTE
09/16/2003	11:50	NA	7,390	cmpmsg.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\NOTE
09/16/2003	11:49	NA	3,133	cmpOpt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\NOTE
09/16/2003	11:49	NA	7,091	cmpTitle.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\NOTE
09/16/2003	11:49	NA	8,501	frmroot.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\NOTE
09/16/2003	11:49	NA	5,306	postatt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\POST
09/16/2003	11:49	NA	6,419	postMsg.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\POST
09/16/2003	11:49	NA	6,485	postroot.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\POST
09/16/2003	11:49	NA	5,238	posttitl.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\POST
09/16/2003	11:49	NA	8,892	frmroot.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\CANCELED
09/16/2003	11:49	NA	30,942	frmRoot.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\REQUEST
09/16/2003	11:49	NA	21,055	mrAppt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\REQUEST
09/16/2003	11:49	NA	5,785	mrAtt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\REQUEST
09/16/2003	11:49	NA	2,931	mrOpt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\REQUEST
09/16/2003	11:49	NA	12,675	mrPlaner.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\REQUEST
09/16/2003	11:50	NA	26,555	mrRecur.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\REQUEST
09/16/2003	11:49	NA	10,735	mrTitle.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\REQUEST
09/16/2003	11:49	NA	11,544	frmroot.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\RESP
09/16/2003	11:49	NA	5,323	rspatt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\RESP
09/16/2003	11:49	NA	8,753	rspmsg.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\RESP
09/16/2003	11:49	NA	3,184	rspopt.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\RESP
09/16/2003	11:49	NA	7,776	rsptitle.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\FORMS\ IPM\SCHEDULE\MEETING\RESP
09/16/2003	11:49	NA	11,802	commands.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\INBOX
09/16/2003	11:49	NA	11,166	main_fr.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\INBOX
09/16/2003	11:49	NA	8,185	root.asp	%EXSRVROOT%\WEBDATA\ %WEBDATALANG%\MOVCPY

Verifying patch installation:

To verify that the security patch is installed on your computer use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base:

320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available

You may also be able to verify the files that this security patch installed by reviewing the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\828489a

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 5.5\SP5\828489b

Note: These registry keys may not be not created properly when an administrator or an OEM integrates or slipstreams the 828489 security patch into the Windows installation source files.

Top of section