The vulnerability does not affect the Premium version of the Outlook Web Access interface. This version is only available to users running current versions of Internet Explorer. By default, Outlook Web Access forces systems running Internet Explorer to use Premium OWA, preventing exploitation against users in this configuration. Only users who are utilizing Outlook Web Access in Lite mode are affected by this vulnerability.
To exploit this vulnerability, the attacker must send a malicious e-mail message to the user and then convince the user to open the message using an affected version of Outlook Web Access. Any script execution would occur with the permissions of the user's Outlook Web Access session.
There are many possible impacts of a successful attack, ranging from the theft of sensitive browser-based information to the successful creation, forwarding, or disclosure of e-mail messages within an affected user's mailbox. Additionally, in some circumstances it may be possible for the attacker to modify the user's domain password to an attacker-specified value. This impact could allow an attacker to subsequently gain access to arbitrary network resources within the affected corporation with the privileges of the affected user. A persistent cross-site scripting issue could occur when an exploit injects values into messages stored within a user's mailbox. This condition is not resolved by logging out of the application
and then logging back in. Each time the e-mail message is viewed, an exploit could occur. As a result, the attacker could continue to run malicious script within a user's browser application in the security context of the affect application.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities disclosed in this month's Microsoft security bulletin release that can be identified or mitigated using Cisco devices. This Cisco bulletin is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for July 2008
Microsoft has corrected this vulnerability by altering the manner in which HTML is parsed within Outlook Web Access.