Risk: Low
Yet again its that time of the month, when Microsoft once again unleashes its latest bug fixes. What is most shocking, is that we have one sole vulnerability being patched. After the release of XP SP2, it's just as well that the only extra thing sysadmins have to contend with is a not especially devastating vulnerability, involving Exchange.
Microsoft has issued a patch which aims to address a cross-site scripting and spoofing vulnerability in Outlook Web Access feature of Exchange Server 5.5. This flaw could be exploited to trick a user into running a malicious script, which would run in the security context of a user. It may also be possible to exploit the flaw to manipulate Web browser caches and intermediate proxy server caches, and put spoofed content in those caches.
The vulnerability affects only Outlook Web Access for Exchange Server 5.5. Outlook Web Access for Exchange 2000 Server and Outlook Web Access for Exchange Server 2003 are not vulnerable.
Redmond describes the vulnerability as moderate, way below the dreaded critical and important designations on its peril index. The alternative workaround is to disable Outlook Web Access, the service that allows users to access their Exchange mailbox through a browser.
Microsoft recommends that customers "consider applying" the security update.