Microsoft Fixes Exchange Server Hole
Thursday, October 1, 2015 @ 05:10 PM gHale
Microsoft Exchange Server just received a patch to fix a security vulnerability that could allow attackers to gain access to active Webmail sessions.
The vulnerability was in Outlook Web Access (OWA) in Microsoft Exchange Server 2013, and allows any attacker to force the Microsoft Exchange Server to dump debug data on the screen by accessing a maliciously crafted URL.
By going through the information on the screen, attackers would have been able to obtain previously inaccessible cookie session info.
This data could then end up used to authenticate against the Exchange Server’s OWA service, and gain access to an active Webmail session.
This would then allow the attacker to exfiltrate sensitive and private information from a previously secure system.
This vulnerability has a low complexity level and can allow any attacker with network access to the server to employ it in their hacking arsenal, according to the National Vulnerability Database entry. Microsoft did fix the vulnerability.