The bug appears to affect an Exchange component called Outlook Web Access (OWA), which allows users to access their in-boxes and folders via a Web browser.
Consumers logging into their Web-based mailbox sometimes find themselves accessing another user's account, with full privileges, according to Matthew Johnson, a network administrator with a U.S. company that sells tools for investors and fund managers. Johnson reported the bug earlier this month on the NTBugtraq security mailing list.
"This seems to be a major security flaw, and we have had to shut off OWA indefinitely because of the issue," Johnson wrote.
Microsoft has said it is investigating the issue and that the flaw appears to occur only when Kerberos authentication is disabled. Kerberos is the method--developed at the Massachusetts Institute of Technology--that Microsoft uses for authenticating requests for services. For the moment, the company is advising customers to keep Kerberos authentication enabled, as it is by default, and may issue a patch or more information when its investigation is complete.
However, Johnson said that Microsoft's initial analysis doesn't seem to be correct, because his company did not alter Exchange Server's default configuration and thus should have been using Kerberos. He initially reported the bug to the software giant two months ago, and said Microsoft is in the process of testing patches.
Microsoft did not respond to requests for additional comment.
Earlier editions of OWA have suffered their share of security problems. In 2001, Microsoft released a patch for the OWA feature in Exchange 5.5 and 2000, but the patch itself notoriously caused many servers to overload and hang and was pulled offline; a second patch also contained a catastrophic bug.
A week and a half ago, Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper concluding that Exchange 5.5 and 2000 can be used by spammers to send anonymous e-mail.
