Exchange Update Corrects Oracle Outside In Vulnerabilities



August 14 , 2012 | Posted by Nachreiner | 9 Comments

Exchange Update Corrects Oracle Outside In Vulnerabilities

Severity: Medium


  • These vulnerabilities affect: Exchange Server 2007 and 2010
  • How an attacker exploits it: By enticing a user to preview a specially crafted attachment within an email
  • Impact: An attacker can execute code with the restricted privileges of the LocalService account
  • What to do: Deploy the appropriate Exchange Server update as soon as possible, or let Windows Automatic Update do it for you


Microsoft Exchange is one of the most popular email servers used today. It includes many advanced features and capabilities. One such feature, called WebReady Document Viewing, allows your email users to preview attached documents as web pages. Exchange leverages Oracle’s Outside In technology to parse these documents and provide these previews.

Unfortunately, Oracle recently found a number of vulnerabilities in their Outside In libraries, which they fixed during their quarterly Critical Patch Update (CPU) last July. Early August, Microsoft realized Exchange was also affected by Oracle’s Outside In vulnerabilities, and they released a security advisory warning their customers about it (we highlighted this advisory in WatchGuard Security Week in Review a few weeks ago). Though Microsoft’s advisory provided a workaround for the issue, it didn’t completely fix it

Today’s Exchange security bulletin does completely resolve the Oracle Outside In vulnerabilities within Exchange.

In a nutshell, the Outside In libraries that Exchange leverages suffer from a number of code execution vulnerabilities having to do with how they parse various types of files. By enticing one of your email users to preview a specially crafted document attached to an email, an attacker can exploit any of these flaws to execute code directly on your Exchange server. Luckily, the code only executes with the permissions of the LocalService account, which has very limited privileges. Nonetheless, we recommend Exchange administrators update as soon as possible.

Solution Path:

Microsoft has released Exchange updates to correct these vulnerabilities. You should download, test, and deploy the appropriate update as soon as possible, or let Windows Update do it for you. You can find the updates in the “Affected and Non-Affected Software” section of Microsoft’s Exchange bulletin.

For All WatchGuard Users:

If you like, you can configure WatchGuard’s security appliances to block or strip the document types necessary for attackers to exploit these vulnerabilities. However, some of the affected documents include ones that most administrators prefer to allow, such as Word and PDF documents. Therefore, we recommend you apply the patches instead.


Microsoft has released patches to fix these vulnerabilities.


Comments (9)

  1. Four Updates Repair Office and Server Software Vulnerabilities | WatchGuard Security Center

  2. Four Updates Repair Office and Server Software Vulnerabilities « microreksa

  3. Exchange Server Code Execution and DoS Flaws | WatchGuard Security Center

  4. Exchange Server Code Execution and DoS Flaws « microreksa

  5. Specially Crafted Attachments Can Crack Exchange Servers | WatchGuard Security Center

  6. FAST Search Server 2010 Flaws Likely Affect Few | WatchGuard Security Center

  7. Exchange Server Code Execution and DoS Flaws

  8. It is dependent upon how many cups of coffee you might be making.
    With the several range of choices offered one cannot miss receiving a coffee-making machine of their preferred choice.
    But for those wanting to benefit from this ages old French design,
    or simply just try new things with their morning java, options

  9. Bosch’s Tassimo is the ideal solution for many who do not like to brew an entire cup of coffee.
    The filter will catch the grounds so they do not end up within your coffee
    cup. Thus, French coffee makers are best for preserving the flavour of it.

Add Comment

Your email address will not be published. Required fields are marked *