Severity: Medium
Summary:
- These vulnerabilities affect: Exchange Server 2007 and 2010
- How an attacker exploits it: By enticing a user to preview a specially crafted attachment within an email
- Impact: An attacker can execute code with the restricted privileges of the LocalService account
- What to do: Deploy the appropriate Exchange Server update as soon as possible, or let Windows Automatic Update do it for you
Exposure:
Microsoft Exchange is one of the most popular email servers used today. It includes many advanced features and capabilities. One such feature, called WebReady Document Viewing, allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews.
Unfortunately, Oracle recently found a number of vulnerabilities in their Outside In libraries, which they fixed during their quarterly Critical Patch Update (CPU) last July. Early August, Microsoft realized Exchange was also affected by Oracle’s Outside In vulnerabilities, and they released a security advisory warning their customers about it (we highlighted this advisory in WatchGuard Security Week in Review a few weeks ago). Though Microsoft’s advisory provided a workaround for the issue, it didn’t completely fix it
Today’s Exchange security bulletin does completely resolve the Oracle Outside In vulnerabilities within Exchange.
In a nutshell, the Outside In libraries that Exchange leverages suffer from a number of code execution vulnerabilities having to do with how they parse various types of files. By enticing one of your email users to preview a specially crafted document attached to an email, an attacker can exploit any of these flaws to execute code directly on your Exchange server. Luckily, the code only executes with the permissions of the LocalService account, which has very limited privileges. Nonetheless, we recommend Exchange administrators update as soon as possible.
Solution Path:
Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.
For All WatchGuard Users:
If you like, you can configure WatchGuard’s security appliances to block or strip the document types necessary for attackers to exploit these vulnerabilities. However, some of the affected documents include ones that most administrators prefer to allow, such as Word and PDF documents. Therefore, we recommend you apply the patches instead.
Status:
Microsoft has released patches to fix these vulnerabilities.