Security Bulletin

Microsoft Security Bulletin MS01-049

Deeply-nested OWA Request Can Consume Server CPU Availability

Published: September 26, 2001 | Updated: June 13, 2003

Version: 1.1

Originally posted: September 26, 2001
Updated: June 13, 2003


Who should read this bulletin:
System administrators using Microsoft® Exchange 2000.

Impact of vulnerability:
Denial of service.

Administrators offering mail service through Outlook Web Access should apply the patch.

Affected Software:

  • Microsoft Exchange 2000 Server Outlook Web Access

General Information

Technical details

Technical description:

A security vulnerability exists in Exchange 2000 Outlook Web Access, because it will accept and process a request for an item in an authenticated user's mailbox without verifying first that the folder structure is valid. An attacker could mount a denial of service attack by repeatedly levying a request for a non-existent but deeply nested folder in his own mailbox.

Exploiting the vulnerability wouldn't necessarily affect the OWA server itself. The effect of the vulnerability would be to cause the process servicing the attacker's mailbox to consume most or all of the CPU availability on the server it was running on. In may cases, this process would run on the OWA server, and thus the effects would be seen there. However, if the process servicing the attacker's mailbox ran on a back-end server, the effect of exploiting the vulnerability would be seen there. In any event, the affected server would resume normal service once the request was handled.

Mitigating factors:

  • Only users who could authenticate to the server could exploit this vulnerability.
  • The attacker would need to have permissions on at least one mailbox in order to exploit the vulnerability.
  • The user can only perform this task against mailboxes to which they have permission.
  • The vulnerability could not be used to cause the mailbox store to fail, or to corrupt mailbox data.

Vulnerability identifier: CAN-2001-0666

Tested Versions:

Microsoft tested Exchange 5.5 and Exchange 2000 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this vulnerability could temporarily consume most or all of the resources on mail server, slowing or preventing other users from accessing their mail. The vulnerability would not allow the attacker to add, delete, change or view anyone else's mail. In order to exploit the vulnerability, the attacker would need to be authorized to access at least one mailbox on the server. The effects of exploiting the vulnerability would be temporary, and the server would resume normal operation once the attack ceased.

What causes the vulnerability?
The vulnerability results because Exchange 2000 OWA does not limit how complex an authenticated user's request to the server can be. By constructing an extremely complex request, a user could consume all CPU availability on the server that processes the request item.

What is OWA?
OWA is a feature in Exchange 5.5 and 2000 that allows users to access their email via a web browser instead of a mail client. Essentially, OWA makes an Exchange server also function as a web site that lets authorized users read or send mail, manage their calendar, or perform other mail functions via the Internet.

What's wrong with OWA?
When OWA processes a request from a user to access a particular mail folder, it doesn't verify first that the folder actually exists. By levying a request involving an extremely complex folder structure - for instance, a folder nested ten thousand folders deep in a tree - it would be possible to make the server spend an inordinate amount of time processing that request.

Would the folder have to actually exist?
No, the requested item does not have to be valid. Any very deeply nested request can exploit this vulnerability.

What would this vulnerability allow the attacker to do?
By repeatedly sending requests that involve deeply nested folders, the attacker could monopolize the server's CPU availability, thereby slowing the server's response or making it completely unresponsive until the request had been completed.

How long would the effects of exploiting the vulnerability last?
It would depend on how complex the request was. However, whenever it completed processing the request, service would return to normal.

How many servers could this affect?
It would depend on how the specific server was configured. OWA sends requests to the process that controls the user's mailbox. If the process were located on the same server as OWA, only the OWA server would be affected. On the other hand, if the process were located on another server, that server, rather than the OWA server, would be affected. This patch should only be applied to Exchange servers that host user mailboxes.

Who could exploit this vulnerability?
Only user who was able to authenticate to the mail server could exploit this vulnerability, and even then only if he had been given access to a mailbox on it.

Could the vulnerability be used to gain any control over the server?
No. The rogue user could only exploit this as a denial of service. The rogue user must be an authenticated user.

I have an Exchange Server, but I don't offer OWA? Do I need the patch?
No. Only Exchange servers with OWA need to be patched.

What does the patch do?
The patch eliminates the vulnerability by restricting the maximum depth of a nested request by an authenticated user.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Microsoft Exchange 2000 SP1

Inclusion in future service packs:

The fix for this issue will be included in Exchange 2000 SP2.

Reboot needed: Yes

Superseded patches: MS01-041

Verifying patch installation:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
    HKEY_LOCAL_MACHINE\Software\Microsoft\Updates\Exchange Server 2000\SP2\Q303451.

  • To verify the individual files, use the date/time and version information provided in the following registry key:
    HKEY_LOCAL_MACHINE \Software\Microsoft\Updates\Exchange Server 2000\SP2\Q303451\filelist




Localized versions of this patch are available at the locations discussed in "Patch Availability"

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:


Microsoft thanks Joao Gouveia for reporting this issue to us and working with us to protect customers.


  • Microsoft Knowledge Base article Q304233 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.


The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.


  • V1.0 (September 26, 2001): Bulletin Created.
  • V1.1 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00