How the IIS vulnerability (Security Advisory 971492) affects Exchange 2003
Microsoft released recently Security Advisory 971492, which alerts for a vulnerability in Internet Information Services (IIS) 6.0, 5.1 and 5.0 (7.0 is not affected), that can allow elevation of privilege.
The vulnerability only occurs when WebDAV is enabled. Since Exchange Server 2003 uses WebDAV to service users, these servers are potentially at risk.
To find out whether a specific server is using WebDAV or whether it’s not, you can use the method Jane Lewis describes on her blog.
To mitigate the risk, follow the procedures described in Microsoft Security Advisory 971492.
According to the Security Research and Defense blog, OWA is not affected:
Question: Is Outlook Web Access (OWA) vulnerable to the authentication bypass?
Answer: No, OWA is not vulnerable to this vulnerability. Exchange 2007 and earlier supported the WebDAV protocol but they did so with an Exchange implementation of WebDAV which only reads/write to/from the Exchange store. It does not interact with the filesystem directly.