CVE-2007-0220

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Server versions 2000 SP3, 2003 SP1, and 2003 SP2

Description The issue concerns an information disclosure vulnerability in Microsoft Exchange, specifically in how Outlook Web Access (OWA) handles script-based attachments. This vulnerability allows remote attackers to execute arbitrary scripts, spoof content, or obtain sensitive information via certain UTF-encoded, script-based e-mail attachments. The vulnerability is related to an incorrectly handled UTF character set label.

Recommendations For Microsoft Exchange Server 2000 SP3, consider disabling the handling of script-based attachments in OWA until a fix is available. For Microsoft Exchange Server 2003 SP1 and SP2, restrict access to OWA for attachments that could potentially exploit this issue, and avoid using OWA to open suspicious or untrusted attachments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.