Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
How could an attacker exploit this vulnerability? An attacker could exploit this issue by sending a specially crafted email to a user. If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context. How do I protect my Exchange Server from this vulnerability? The Exchange Emergency Mitigation Service will provide mitigation automatically, and is on by default. If it is not already enabled on your Exchange Server, you need to enable Exchange Emergency Mitigation Service. You can find more information and instruction in the Exchange blog here. Why are there no links to updates in the Security Update Table? Microsoft is supplying a temporary mitigation for this vulnerability through the Exchange Emergency Mitigation Service. We are working on developing and testing a more permanent fix which we will provide when it meets our quality standards.
Anonymous