MS08-039: Which users are vulnerable to the OWA XSS vulnerability?

Today we released MS08-039 which addressed several XSS vulnerabilities in Microsoft Exchange’s Outlook Web Access component.  While this is an update to be applied to the Exchange server, the clients who use OWA are the computers potentially at risk.  We’d like to explain a little more about the vulnerability so that you can determine whether you or your organization are at risk.

OWA has two modes: OWA Light (or OWA Basic for Exchange 2003), and OWA Premium. In short, if OWA Light/Basic is used, you are vulnerable to the XSS vulnerability. You can tell whether OWA Light is used via the “Use Outlook Web Access Light” check box in OWA’s logon screen.

So which mode is the default mode in OWA?

To use OWA Premium, the browser must include support for ActiveX and the restricted IFRAME features.  Therefore, if you use a browser without these features, you will only be able to use OWA Light.  The OWA login screen displays the mode to be used.  In the screenshot below, a browser that does not support ActiveX and/or the restricted IFRAME features can only use OWA Light – you can see that there is no option to un-check the “Use Outlook Web Access Light” box.

If you are using Internet Explorer and have enabled ActiveX, OWA will default to Premium mode.  In the default case, in fact, Internet Explorer users will be forced to use Premium mode.  However, an Exchange administrator could choose to configure their Exchange servers to enable OWA Light for all  users or could even force OWA Light for all users.  However, Exchange cannot be configured to force all clients to OWA Premium mode.  OWA Premium users are not vulnerable to the XSS vulnerabilities addressed with this security update. 

Here’s the login screen when a browser supports the features required of Premium Mode and the Exchange administrator has been configured to enable OWA light:

– Security Vulnerability Research & Defense Bloggers

*Postings are provided “AS IS” with no warranties, and confers no rights.*