The flaw affects only companies that use a program included by Microsoft in its Exchange mail server package. Known as Outlook Web Access, the program allows companies to offer e-mail access to employees via a Web browser.
According to the software giant, Outlook Web Access and the Internet Explorer browser don't play well together. Because the two programs aren't entirely on the same page, an e-mail attachment that appears to be a text file could contain a script that, when opened with Internet Explorer, would be able to modify a person's in-box and other mail folders.
"It's not something that is going to reformat your hard drive," said Christopher Budd, program manager with Microsoft's security response center. "The script can only do what the browser will allow it to do; you cannot write files to the machine through the browser."
A malicious program could, however, add, delete and modify the data and messages in a person's in-box, according to the Microsoft advisory.
To exploit the flaw, an attacker would have to create a special text attachment that includes HTML code and scripts. While the attachment would appear to be a text file to the recipient, once opened, the script would automatically execute without notification.
Under Outlook and other mail clients, an HTML file would either be identified as such--with an icon that looks like an HTML page--or be considered a text file and not executed. The Outlook Web Access flaw makes the file appear as text but executes it as if it were HTML.
Worse, while Windows normally warns a user when a script runs, in this case, it does not.
The good news, said Microsoft's Budd, is that--because the vulnerability affects only Web mail users and not those using Outlook or Outlook Express--anyone exploiting the flaw will not have much success.
"This is really dependent on someone reading the attachment" via a Web browser, he said. "If I sent a virus out to a million people, only a small percentage would be affected."
Furthermore, the flaw does not allow a malicious program to automatically send e-mail, a tactic common among the mass-mailing worms plaguing the Internet today.
To date, no programs are known to exploit the vulnerability.
Microsoft notified security experts of the problem late Wednesday and already has a patch for companies using its Exchange Server 2000. The previous version of Exchange--version 5.5--does not have the vulnerability.