Blog Post

Exchange Team Blog
1 MIN READ

No new security vulnerability in Outlook Web Access (OWA)

The_Exchange_Team's avatar
Oct 07, 2015

Recently reports of a new security vulnerability in OWA, a component of Microsoft Exchange Server, have been circulated throughout the internet. Microsoft considers the security of our products to be a top responsibility to our customers.

We have investigated these reports and believe that a properly deployed and secured Exchange Server is not susceptible to the attacks referenced in these posts. One of the reports in question skips over the important details of how an attacker might ‘gain a foothold into a highly strategic asset’ if a system is properly managed, secured, and up-to-date. The “attack” in question could only be initiated by an individual who had administrative access to a server’s file system and services, or who had permission to logon to an Exchange Server console with the rights to replace Exchange system files, and perform an Internet Information Server (IIS) reset.

Microsoft recommends that IT administrators use the latest products and services, in combination with industry best practices for IT management to avoid the condition outlined in these reports.

The Exchange Team

Updated Jul 01, 2019
Version 2.0
  • Thanks for sharing the perspective. I read the report as well; it is sparse on environment detail (e.g. versions of Windows and Exchange, and what update levels for each were installed; and were there OWA servers in the DMZ? That part isn't real clear...)

    and the explanation of the attack certainly seems like it was done by someone who knew how IIS, .NET Assemblies, and OWA authentication operate together. Certainly not an open "Vulnerability" as the report would have you believe.


    Couple that with the fact that there is no explanation of how/when the malicious files were created leads me to believe it was a targeted-attack by someone with administrative access to the Exchange server. It may not have been an Exchange administrator or

    a trusted IT partner, but some how someone was able to get access to the OWA server and it appears it was all done directly from the OWA server in-question. And I'll play devil's advocate; it could have been through an exploitable hole, but again, what version

    of the OS was being run, with what patch-levels, etc.

    Really the only thing that the report does well is create FUD and pat the security group on their collective back for finding this issue, and none of the pertinent details of how it happened in the first place.

  • I think the only thing the "security researchers" in this case have achieved is notoriety... pretty much anything with a logon page on a compromised web server could cough up logon credentials. How the server got compromised in the first place, which should

    have been the focus of the article, could be anyone's guess. May not have even been a software vulnerability, e.g.: phishing, disgruntled employee, other software that may require admin privileges with their logon credentials in configuration files in plain

    view...