Security Advisory 2416728 ASP.NET effects on Exchange 2003 OWA
I attempted to open a case with Microsoft to determine how/if OWA 2003
is affected, but Microsoft's SA web submission site is down. I need to
determine what changes if any should be applied to mitigate attacks on an
Exchange SP2 OWA 2003 servers running on Windows Server 2003 SP2, and the
side effects are of changing the error pages in OWA. Until the Advisory is
updated with information about OWA, or Microsoft provides the expected
Bulletin or temporary FixIt, what performance counters or activity in the
IIS logfiles should we be looking for to detect evidence of attacks.
My results so far (I am not a .Net programmer) by running the version
3.1 of DetectCustomErrorsDisabled.vbs from (note links in
http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx
are to 3.0 version, 3.1 is from the SRD Blog at
http://blogs.technet.com/b/srd/archive/2010/09/17/understanding-the-asp-net-vulnerability.aspx)
did output 9 Vulnerable configuration. My educated guess is that
Exchange/OWA 2003 uses ASP.NET v1.1.4332, so the web.config contents cannot
be retrieved using the public disclosed attack via ASP.Net 3.5 SP1.
Note
http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/58add890-7685-45aa-b519-4d37eeb8dbec
asks the same question about OWA/Exchange 2007
September 23rd, 2010 5:22pm