Microsoft has revealed a security hole in its Exchange 2000 mail server that could allow an attacker to target corporate employees with programs that delete their mail.
The flaw affects only companies that use a program known as Outlook Web Access in its Exchange mail server package.
This program allows companies to offer email access to employees via a Web browser.
According to the software giant, an email attachment that appears to be a text file could contain a script that, when opened with Internet Explorer, would be able to modify a person's inbox and other mail folders.
"It's not something that is going to reformat your hard drive," said Christopher Budd, program manager with Microsoft's security response centre.
"The script can only do what the browser will allow it to do; you cannot write files to the machine through the browser."
A malicious program could, however, add, delete and modify the data and messages in a person's inbox.
To exploit the flaw, an attacker would have to create a special text attachment that includes HTML code and scripts.
While the attachment would appear to be a text file to the recipient, once opened, the script would automatically execute without notification.
The good news, however, is that -- because the vulnerability affects only Web mail users and not those using Outlook or Outlook Express -- anyone exploiting the flaw will not have much success, according to Microsoft's Budd.
"This is really dependent on someone reading the attachment" via a Web browser, he said.
"If I sent a virus out to a million people, only a small percentage would be affected."
