Updated: July 9, 2020 (September 20, 2010)
Analyst ReportNo Exchange Patch Provides Support Guidance
A security vulnerability in some versions of Exchange Server 2003 and 2007 could allow an attacker to take control of an authenticated Outlook Web Access (OWA) session and then perform actions as if he were the legitimate OWA user. Microsoft will not patch this security bug, even though some versions of Exchange that contain the bug are still supported, because the fix would require architectural changes that might break other product features. Instead, customers concerned about security must deploy a service pack or a new version of Exchange.
What’s Affected
The vulnerability affects Exchange Server 2003 and installations of Exchange Server 2007 without SP3. It does not affect versions prior to Exchange 2003, nor Exchange 2007 SP3, Exchange Server 2010, or 2010 SP1.
Exchange 2003 was generally available in Sept. 2003, and customers are entitled to the benefits of the Extended support phase until Apr. 2014. Among those benefits are security updates and paid support on contracts such as Premier Support.
Atlas Members have full access
Get access to this and thousands of other unbiased analyses, roadmaps, decision kits, infographics, reference guides, and more, all included with membership. Comprehensive access to the most in-depth and unbiased expertise for Microsoft enterprise decision-making is waiting.
Membership OptionsAlready have an account? Login Now