Microsoft published recently security bulletin MS06-029, which describes a new vulnerability that can affect Exchange Server 2000 and 2003. This vulnerability could allow script injection when Exchange Server runs Outlook Web Access. An attacker could exploit the vulnerability by constructing an e-mail message with a specially crafted script. If this specially crafted script is run, it would execute in the security context of the user on the client. More information in the following links:
- Microsoft Security Bulletin MS06-029
- MS06-029: Vulnerability in Microsoft Exchange Server could allow script injection when Exchange Server runs Outlook Web Access
There are patches available for Exchange 2000 SP3, Exchange 2003 SP1 and Exchange 2003 SP2, but be warned that the installation of these security updates can break third party services such as BlackBerry or GodLink.