Microsoft is investigating what may be a serious flaw in Exchange Server 2003, only a month after the software's launch as part of Office System 2003.
The bug appears to affect an Exchange component called Outlook Web Access (OWA), which allows users to access their inboxes and folders via a Web browser.
Users logging into their Web-based mailbox sometimes find themselves accessing another user's account, with full privileges, according to Matthew Johnson, a network administrator with a US company that sells tools for investors and fund managers. Johnson reported the bug earlier this month on the NTBugtraq security mailing list.
"This seems to be a major security flaw and we have had to shut off OWA indefinitely because of the issue," Johnson wrote.
Microsoft has said it is investigating the issue, and said the flaw appears to occur only when Kerberos authentication is disabled. Kerberos is the method, developed at the Massachusetts Institute of Technology, that Microsoft uses for authenticating requests for services. For the moment, the company is advising users to keep Kerberos authentication enabled -- as it is by default -- and may issue a patch or more information when its investigation is complete.
However, Johnson told ZDNet UK that Microsoft's initial analysis doesn't seem to be correct, since his company did not alter Exchange Server's default configuration, and thus should have been using Kerberos. He initially reported the bug to Microsoft two months ago, and said Microsoft is in the process of testing patches.
Microsoft did not respond to requests for additional comment.
Earlier editions of OWA have suffered their share of security problems. In 2001, Microsoft released a patch for the OWA feature in Exchange 5.5 and 2000, but the patch itself notoriously caused many servers to overload and hang, and was pulled offline; a second patch also contained a catastrophic bug.
Last week Aaron Greenspan, a Harvard University junior and president of consulting company Think Computer, published a white paper concluding that Exchange 5.5 and 2000 can be used by spammers to send anonymous email.
ZDNet U.K.'s Matthew Broersma reported from London.