I attempted to open a case with Microsoft to determine how/if OWA 2003 is affected, but Microsoft's SA web submission site is down. I need to determine what changes if any should be applied to mitigate attacks on an Exchange SP2 OWA 2003 servers running on Windows Server 2003 SP2, and the side effects are of changing the error pages in OWA. Until the Advisory is updated with information about OWA, or Microsoft provides the expected Bulletin or temporary FixIt, what performance counters or activity in the IIS logfiles should we be looking for to detect evidence of attacks. My results so far (I am not a .Net programmer) by running the version 3.1 of DetectCustomErrorsDisabled.vbs from (note links in http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx are to 3.0 version, 3.1 is from the SRD Blog at http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx) did output 9 Vulnerable configuration. My educated guess is that Exchange/OWA 2003 uses ASP.NET v1.1.4332, so the web.config contents cannot be retrieved using the public disclosed attack via ASP.Net 3.5 SP1. Note http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/58add890-7685-45aa-b519-4d37eeb8dbec asks the same question about OWA/Exchange 2007