Jason,
It appears your observations are correct. I have not verified that the
problem occurs with only user accounts (I don't want to continue to
break our server in order to do bug testing for Microsoft).
Additionally, the DOS is obvious.. if it can be exploited to more is not
(I have no idea). As Dallas said in her response, while upgrading may
seem like a good idea (to exchange 2k+), we too will be using outlook
2003 before upgrading exchange (exchange upgrades in large corporate
environments are a nighmare..)
-Darren
On Mon, 2003-07-21 at 20:45, Jason wrote:
> This being full disclosure and all...
>
> I am interested in what exactly Outlook 2003 does that causes IIS so
> much issue? My gutt answers in ( )s.
>
> Can this be replicated without Outlook 2003? ( probably )
> Can this be done with or without a user account? ( users only )
> Is this only a DOS for servers with OWA running? ( probably )
> Is it just a DOS or a lurking exploitable condition? ( DOS )
> Is it a persistent DOS against IIS and OWA or does a restart resolve it?
> ( restart )
> Is it reliably reproducible or dependent on an obscure configuration
> option? ( reliable )
>
> If you can provide these details then I think the list would be
> interested. Otherwise you may be better off going to one of the more
> Exchange / MS focused lists for bug sympathy/help.
>
>
> LaRose, Dallas wrote:
>
> >-----Original Message-----
> >From: Christopher F. Herot [mailto:[EMAIL PROTECTED]
> >Maybe you should upgrade from Exchange 5.5 to 2000. We have had people
> >using Outlook 2003 client and OWA with Exchange 2000 for several months
> >without incident.
> >
> >==========
> >
> >Although I'll recognize that an upgrade to E2K is prudent and may resolve
> >the issue, a problem in a product that is still in use should be recognized
> >and documented.
> >
> >Although my company is interested in upgrading to both Outlook 2003 and
> >Exchange 2K+, the upgrade to Outlook 2003 will likely come first due to
> >complexities in the Exchange upgrade. I think it's fair to test the
> >combination of Outlook 2003 and Exchange 5.5 OWA, and I'm interested to know
> >the results.
> >
> >Does Microsoft have a Q article that acknowledges the issue?
> >
> >Dallas LaRose
> >Senior Network Engineer
> >S2 Systems, Inc.
> >
> >_______________________________________________
> >Full-Disclosure - We believe in it.
> >Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
> >
> >
> >
> >
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
--
-----------------------------------------------
Darren Bennett
CISSP, Certified Unix Admin., MCSE, MCSA, MCP +I
Sr. Systems Administrator/Manager
Science Applications International Corporation
Advanced Systems Development and Integration
-----------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
