“This is another reminder to find a trusted cloud provider for e-mail,” added Johannes Ullrich, dean of research at the SANS Institute. “On-premises Exchange is becoming a legacy product, and while some organizations need it for internal and outbound email, its attack surface should be minimized by reducing its exposure to external email.”
Ullrich was commenting on an alert from Microsoft this week about a cross-site scripting vulnerability affecting Exchange Outlook Web Access (OWA) that could be exploited merely by sending a specially crafted email to a user. If the user opens the message in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context.
Avoiding cross-site scripting problems in webmail systems like Outlook Web Access is hard, Ullrich admitted. A webmail system must include HTML email received from users within the application’s HTML without confusing the two. Techniques like sandboxed iFrames can help, but need to be applied carefully.
At the same time, he said, cross-site scripting flaws in webmail can usually be used to read the content of an email, and in some cases even to send an email.
