Recently reports of a new security vulnerability in OWA , a component of Microsoft Exchange Server, have been circulated throughout the internet. Microsoft considers the security of our products t...
Updated Jul 01, 2019
Version 2.0
Blog Post
Thanks for sharing the perspective. I read the report as well; it is sparse on environment detail (e.g. versions of Windows and Exchange, and what update levels for each were installed; and were there OWA servers in the DMZ? That part isn't real clear...)
and the explanation of the attack certainly seems like it was done by someone who knew how IIS, .NET Assemblies, and OWA authentication operate together. Certainly not an open "Vulnerability" as the report would have you believe.
Couple that with the fact that there is no explanation of how/when the malicious files were created leads me to believe it was a targeted-attack by someone with administrative access to the Exchange server. It may not have been an Exchange administrator or
a trusted IT partner, but some how someone was able to get access to the OWA server and it appears it was all done directly from the OWA server in-question. And I'll play devil's advocate; it could have been through an exploitable hole, but again, what version
of the OS was being run, with what patch-levels, etc.
Really the only thing that the report does well is create FUD and pat the security group on their collective back for finding this issue, and none of the pertinent details of how it happened in the first place.