A new vulnerability in Microsoft Exchange account login checks, which are now included in an update to the company’s Exchange 2007 client software, could allow hackers to gain access to accounts by impersonating legitimate employees, according to researchers from Kaspersky Lab and Symantec.
The vulnerability in the software allows hackers to bypass password requirements to login to an Exchange account.
In addition, the vulnerability could allow attackers to gain control of a Microsoft Exchange server or to compromise a Microsoft account, which would then allow them to access the server’s sensitive data.
The exploit, known as a “misdirection,” has been reported by researchers from a number of companies, including Microsoft, Symantech and FireEye.
The researchers have since identified a separate vulnerability in some of the other Microsoft Exchange accounts that was patched this week.
Symantec said that the exploit in Microsoft’s Windows 7 Client Edition is the second known vulnerability that could be exploited by attackers.
Symantek reported that it had found the same vulnerability in another Microsoft Exchange version.
“While we don’t know the full scope of the vulnerabilities, we are aware of at least one other publicly reported vulnerability in one of the two versions of Microsoft Exchange,” Kasperski said in a blog post published Wednesday.
“While we cannot confirm whether these vulnerabilities were used in the attacks, they were found by Symanteks researchers.”
“The Microsoft Exchange vulnerability was discovered after the initial reported exploits, but Microsoft has since patched the vulnerabilities in the affected versions of Windows,” the company said.
Microsoft has not yet commented on the new vulnerability.
The flaw in the Microsoft Exchange software, which Microsoft announced in November, allows attackers to use a specially crafted certificate to sign a document, as long as the certificate contains the name of the user, or the email address associated with the user’s email account.
“If the user is not authenticated, the certificate will be valid, but not valid for the session, because it is valid for both the certificate and the user account,” Kansai-based Symantect said in an advisory on Wednesday.
Symantsky said that it has found another Microsoft security vulnerability in Exchange that it believes was exploited by the same group that discovered the new flaw.
Symantisky said it has also discovered two other known vulnerabilities in Microsoft Windows versions.
Symantsky also said that its researchers have also found a third Microsoft vulnerability in Windows Server 2003.
Microsoft did not immediately respond to a request for comment.
Microsoft Exchange account logins can be used to log into a server by using the username, password or other information that has been assigned to a user account, such as a user ID.
If the user has not been authenticated before, the user will not be able to log in and will instead be redirected to the Exchange web site.
The new vulnerabilities in Exchange 2007 could allow an attacker to compromise the login of any user who had an Exchange server running on their computer, Symantisky wrote.
The attackers would then gain control over the server and access sensitive data such as financial records, customer accounts and email.
The researchers said they have identified at least six known vulnerabilities affecting Microsoft Exchange 2007 that were addressed in Microsoft updates on Wednesday, but Symantesky said in its advisory that it is possible that the remaining six vulnerabilities could be exploitable by other groups that are exploiting these vulnerabilities.
“There is an active effort underway to exploit these vulnerabilities for other purposes, so the risks from these vulnerabilities may continue to grow,” the advisory said.
Symansky also released a tool it said it had developed that can be installed on any Microsoft Exchange 2003 server that uses the Windows Server Message Block Protocol (WSMP) to access a server running Exchange 2007.
The tool, called Microsoft Exchange Security Audit, was developed by Symantski.
SymANTEC researchers said the tool was able to collect the email addresses of hundreds of thousands of Exchange users, which they used to identify accounts with Exchange accounts compromised.
The researcher said that a similar tool is also being used to collect email addresses associated with Microsoft Outlook accounts that are compromised.
SymANTEC’s advisory warned that this tool should be used only by administrators who have full control of their server.