December 10, 2001, 9:30 AM — A patch released last week to fix a flaw in the Outlook Web Access module of Microsoft Corp.'s Exchange 5.5 Server can render the Web-based e-mail system useless, administrators complained, prompting Microsoft to update and rerelease its security bulletin.
"Unexpected consequences" may result due to file dependency issues if the Outlook Web Access server that the patch is applied to does not have Internet Explorer (IE) version 5.0 or greater installed, Microsoft said in the revised version of bulletin MS01-057, issued late Friday.
Installing the patch on servers with an older version of IE had various results, according to postings in a forum for Exchange administrators on Microsoft's TechNet Web site. There are reports of disabled systems that only show message headers, not the body, as well as general installation problems.
Exchange administrators could be getting used to having to deal with several versions of security bulletins and patches before their system is patched and running again. Earlier this year it took Microsoft three patches to plug a similar Outlook Web Access hole in Exchange 2000. Exchange 5.5 was also affected, but that patch worked on the first go.
The original bulletin, released late Thursday, did not list any caveats. The updated bulletin lists the IE version requirement and recommends users upgrade to IE 5.5 with Service Pack 2 (SP2) or IE 6.0. Hotfix support is only available for these latest versions of IE, Microsoft said.
The patch is to fix a flaw in the way Outlook Web Access handles inline script in HTML (HyperText Markup Language) e-mail messages. An attacker can hijack a user's mailbox when his message with malicious code is opened using IE and Outlook Web Access, according to Microsoft.
