-----BEGIN PGP SIGNED MESSAGE-----
AUSCERT External Security Bulletin Redistribution
ESB-2008.0491 -- [Win]
Potential security flaw in Outlook Web Access (OWA)
13 May 2008
AusCERT Security Bulletin Summary
Product: Outlook Web Access (OWA)
Operating System: Windows
Impact: Access Confidential Data
Access: Existing Account
Original Bulletin: http://www.kb.cert.org/vuls/id/829876
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability Note VU#829876
Microsoft Outlook Web Access may not use the no-store HTTP directive
Some versions of Outlook Web Access (OWA) may use the no-cache instead of
the no-store HTTP 1.1 directive. This results in web browsers caching
Some versions of Outlook Web Access may use the Cache-Control: no-cache
HTTP 1.1 directive.
- From RFC 2616:
If the no-cache directive does not specify a field-name, then a cache
MUST NOT use the response to satisfy a subsequent request without
successful revalidation with the origin server. This allows an origin
server to prevent caching even by caches that have been configured to
return stale responses to client requests.
If the no-cache directive does specify one or more field-names, then a
cache MAY use the response to satisfy a subsequent request, subject to
any other restrictions on caching. However, the specified
field-name(s) MUST NOT be sent in the response to a subsequent request
without successful revalidation with the origin server. This allows an
origin server to prevent the re-use of certain header fields in a
response, while still allowing caching of the rest of the response.
Using the no-cache instead of the no-store directive may cause web browsers
that closely follow RFC 2616 to store potentially sensitive information.
Sensitive information that is viewed during an Outlook Web Access session
may be stored to disk.
We are unware of a solution for this problem.
Clear browser caches
Clearing browser caches frequently may mitigate this vulnerability by
deleting data that was inadvertantly cached.
* In Internet Explorer 7, click on Tools, Internet Options, Delete
(under the Browsing history section), then Delete all.
* For Firefox 2 and 3 see the Firefox Options window support page for
information on how to automatically remove cached browser files.
* In Safari 3.0, click Safari then Reset Safari.
* In recent of versions of Opera, go to Tools, Preferences, Advanced,
History and set the cache to Empty on exit.
* For recent versions of the Konqueror browser, use the KControl module
called Cache, then click on the Clear cache button.
Administrators should also considering securely erasing deleting browser
caches before re-deploying or disposing of hard drives.
Vendor Status Date Updated
Microsoft Corporation Vulnerable 31-Mar-2008
Thanks to Bill Knox from MITRE reporting this vulnerability.
This document was written by Ryan Giobbi.
Date Public 05/09/2008
Date First Published 05/09/2008 08:08:29 AM
Date Last Updated 05/09/2008
US-CERT Technical Alerts
Document Revision 22
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to email@example.com
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
Australian Computer Emergency Response Team
The University of Queensland
Internet Email: firstname.lastname@example.org
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----