Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

December 2014 security update for Exchange Server 2007 and Exchange Server 2010


View products that this article applies to.

Symptoms

Outlook Web App Token Spoofing Vulnerability

A token spoofing vulnerability exists in Microsoft Exchange Server 2007 and Microsoft Exchange Server 2010. It could allow an attacker to send email messages that seem to come from a trusted source, and the messages contain a link to a website of the attacker. In a web-based attack scenario, an attacker could host a website that is used to try exploiting this vulnerability. Additionally, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. However, in almost every case, an attacker cannot force users to view the attacker controlled content. Instead, an attacker would have to convince users to take action, typically by having them click a link in an email message or Instant Messenger message, to take users to his or her website.

↑ Back to the top


Cause

This issue occurs because Outlook Web App does not properly validate a request token.

↑ Back to the top


Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

↑ Back to the top


Keywords: kbqfe, kbfix, kbsurveynew, kbexpertiseadvanced, kb

↑ Back to the top

Article Info
Article ID : 3015738
Revision : 1
Created on : 1/7/2017
Published on : 12/9/2014
Exists online : False
Views : 223