Exchange Update Corrects Oracle Outside In Vulnerabilities

Severity: Medium

Summary:

  • These vulnerabilities affect: Exchange Server 2007 and 2010
  • How an attacker exploits it: By enticing a user to preview a specially crafted attachment within an email
  • Impact: An attacker can execute code with the restricted privileges of the LocalService account
  • What to do: Deploy the appropriate Exchange Server update as soon as possible, or let Windows Automatic Update do it for you

Exposure:

Microsoft Exchange is one of the most popular email servers used today. It includes many advanced features and capabilities. One such feature, called WebReady Document Viewing, allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews.

Unfortunately, Oracle recently found a number of vulnerabilities in their Outside In libraries, which they fixed during their quarterly Critical Patch Update (CPU) last July. Early August, Microsoft realized Exchange was also affected by Oracle’s Outside In vulnerabilities, and they released a security advisory warning their customers about it (we highlighted this advisory in WatchGuard Security Week in Review a few weeks ago). Though Microsoft’s advisory provided a workaround for the issue, it didn’t completely fix it

Today’s Exchange security bulletin does completely resolve the Oracle Outside In vulnerabilities within Exchange.

In a nutshell, the Outside In libraries that Exchange leverages suffer from a number of code execution vulnerabilities having to do with how they parse various types of files. By enticing one of your email users to preview a specially crafted document attached to an email, an attacker can exploit any of these flaws to execute code directly on your Exchange server. Luckily, the code only executes with the permissions of the LocalService account, which has very limited privileges. Nonetheless, we recommend Exchange administrators update as soon as possible.

Solution Path:

Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.

For All WatchGuard Users:

If you like, you can configure WatchGuard’s security appliances to block or strip the document types necessary for attackers to exploit these vulnerabilities. However, some of the affected documents include ones that most administrators prefer to allow, such as Word and PDF documents. Therefore, we recommend you apply the patches instead.

Status:

Microsoft has released patches to fix these vulnerabilities.

References:

About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

10 Responses to “Exchange Update Corrects Oracle Outside In Vulnerabilities”

  1. It is dependent upon how many cups of coffee you might be making.
    With the several range of choices offered one cannot miss receiving a coffee-making machine of their preferred choice.
    But for those wanting to benefit from this ages old French design,
    or simply just try new things with their morning java, options
    abound.

  2. Bosch’s Tassimo is the ideal solution for many who do not like to brew an entire cup of coffee.
    The filter will catch the grounds so they do not end up within your coffee
    cup. Thus, French coffee makers are best for preserving the flavour of it.

  3. If you make your personal milk shakes, smoothies or similar flavored drinks,
    a kitchen handheld blender can make your life much simpler.
    You can search the internet for relevant reviews regarding Braun’s
    fabulous products. Before you acquire it, make sure you perform comprehensive
    research about it to get the one made from probably the most
    reliable and trustworthy company.

Trackbacks/Pingbacks

  1. Four Updates Repair Office and Server Software Vulnerabilities | WatchGuard Security Center - October 9, 2012

    [...] FAST Search Server improves the searchability of your SharePoint infrastructure. In previous alerts and videos, we warned you that Microsoft Exchange leveraged Oracle’s Outside In technology to [...]

  2. Four Updates Repair Office and Server Software Vulnerabilities « microreksa - October 9, 2012

    [...] FAST Search Server improves the searchability of your SharePoint infrastructure. In previous alerts and videos, we warned you that Microsoft Exchange leveraged Oracle’s Outside In technology to [...]

  3. Exchange Server Code Execution and DoS Flaws | WatchGuard Security Center - December 11, 2012

    [...] another remote code execution vulnerability in the Oracle’s Outside In technology. In our last Exchange alert, we described a feature called WebReady Document Viewing, which allows your email users to preview [...]

  4. Exchange Server Code Execution and DoS Flaws « microreksa - December 11, 2012

    [...] another remote code execution vulnerability in the Oracle’s Outside In technology. In our last Exchange alert, we described a feature called WebReady Document Viewing, which allows your email users to preview [...]

  5. Specially Crafted Attachments Can Crack Exchange Servers | WatchGuard Security Center - February 12, 2013

    [...] the way, if this issue seems familiar to you, it’s because it is very similar to a previous Exchange WebReady Document Viewing issue from last [...]

  6. FAST Search Server 2010 Flaws Likely Affect Few | WatchGuard Security Center - February 12, 2013

    [...] 2010 suffers from the same Oracle Outside In vulnerabilities that we’ve described in previous Exchange alerts. These vulnerabilities include both code execution and Denial of Service (DoS) [...]

  7. Exchange Server Code Execution and DoS Flaws - September 2, 2013

    […] remote code execution vulnerability in the Oracle’s Outside In technology. In our last Exchange alert, we described a feature called WebReady Document Viewing, which allows your email users to […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 7,582 other followers

%d bloggers like this: