Recently reports of a new security vulnerability in OWA, a component of Microsoft Exchange Server, have been circulated throughout the internet. Microsoft considers the security of our products to be a top responsibility to our customers.
We have investigated these reports and believe that a properly deployed and secured Exchange Server is not susceptible to the attacks referenced in these posts. One of the reports in question skips over the important details of how an attacker might ‘gain a foothold into a highly strategic asset’ if a system is properly managed, secured, and up-to-date. The “attack” in question could only be initiated by an individual who had administrative access to a server’s file system and services, or who had permission to logon to an Exchange Server console with the rights to replace Exchange system files, and perform an Internet Information Server (IIS) reset.
Read more at source: http://blogs.technet.com/b/exchange/archive/2015/10/07/no-new-security-vulnerability-in-outlook-web-access-owa.aspx