The version of Outlook Web Access contains a URL redirection vulnerability. However, this would require user interaction to be abused such as embedded URL within an email that is clicked on.
It is possible to provide an arbitrary "url" value.
Informational only. Microsoft expects this to be resolved in Exchange 2007.