Exchange 2000 flaw could allow hacker access

Microsoft warned users of the Outlook Web Access module of its Exchange 2000 Server e-mail system that a security vulnerability could allow unauthorized access to mailbox contents. The company issued a patch for the flaw on Wednesday.

The problem is limited to the Outlook Web Access feature of Exchange, which is activated by default when Exchange 2000 Server is installed, Microsoft said in a security bulletin posted to the company's TechNet Web site. The company recommended that administrators of affected systems should immediately install a patch to fix the problem.

Outlook Web Access allows users to access their Exchange mailbox via the Web, rather than with Outlook client software from their own PC. A flaw exists in the interaction between the Web access feature and Web browser Internet Explorer, Microsoft said. Using malicious code in an e-mail attachment; a hacker could gain access to a user's mailbox, including the ability to delete messages and folders, Microsoft said.

The glitch causes script code in e-mail attachments to execute on the server that runs Outlook Web Access, instead of just in the user's Web browser. After applying the patch the Web-based mail system will prompt the user to download an attachment before opening it. The user can save the document locally, or cancel the download.

Microsoft said it would also include the fix for this security issue in Exchange 2000 Service Pack 1.

The patch is available for free download from Microsoft's TechNet at: in Redmond, Washington, can be reached at +1-425-882-8080 or