Critical Security Patches for Exchange Issued by Microsoft

Microsoft’s Patch Tuesday was a fat one this month. All told, Redmond pushed fixes for 57 security flaws, including some in Exchange 2007 and 2010.

The flaws in Exchange were tagged “critical” by Microsoft, a rating reserved for the most severe vulnerabilities.

The update affects Exchange 2010 SP2 and 2007 SP3. Exchange 2010 SP3 and 2003 SP2 are not affected by the update.

Flaws addressed by the security update address are known to the public, Microsoft explained in its security bulletin for Patch Tuesday.

The most severe vulnerability is in Microsoft Exchange Server WebReady Document Viewing.

If exploited, the vulnerability could be used by an Internet malcontent to execute code remotely on an Exchange server. The code could be executed when a specially crafted file is previewed in Outlook Web App (OWA).

The vulnerability allows a hacker to run code through Exchange’s LocalService account. On a local computer, the LocalService account has minimum privileges and on the network, it presents anonymous credentials.

Another vulnerability in Exchange addressed by the update also involves a poisoned file. If viewed through Outlook Web Access in a browser, the file will cause Exchange to freeze. However, the vulnerability can’t be exploited to execute code or elevate a user’s administrative rights.

The security update fixes the vulnerability by updating Oracle Outside In libraries to a non-vulnerable version. Outside In is used to convert files from various formats so they can be viewed in a web browser.

Oracle’s security woes have been making headlines lately because despite multiple patches it has been unable to keep vulnerabilities from popping up in its Java programming language.

If you have automatic updating enabled and configured to automatically check for updates from Microsoft, the update will be downloaded and installed automatically.

If you don’t have Update enabled, you’ll have to install the update manually.

You can workaround installing the update by issuing commands through Exchange PowerShell. This command will turn off WebReady document view.

Get-OwaVirtualDirectory | where {$_.OwaVersion -eq ‘Exchange2007′ -or $_.OwaVersion -eq ‘Exchange2010′} | Set-OwaVirtualDirectory -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

With document view turned off, however, your users won’t be able to preview attachments in OWA.

In addition to the critical Exchange fixes, other critical patches fix problems in the Windows implementation of Vector Markup Language (VML), vulnerabilities in the way Windows handles certain media files and a number of bugs in Windows XP systems.

Microsoft is also addressing vulnerabilities in Internet Explorer from version 6 to 10.

The flaws make the browser vulnerable to drive-by Web attacks. In a drive-by attack, a web surfer need only land on a infected website to get their computer infected.

Security updates can be a two-edged sword. Although the bugs squashed by Microsoft may be publicly known, hackers still scrutinize the updates with an eye toward exploiting them. They know that many users are slow to update their systems and they hope to exploit a vulnerability before it’s plugged.

The problem is usually worse for corporate environments. They typically want to examine the affects of an update before rolling it out across the enterprise. Otherwise, their support desks could suddenly be flooded with help calls.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe

2 Comments

  1. Earl John · February 22, 2013

    Thank you for this heads-up! In the next few days, we will be upgrading our Exchange, and it sure does help if there’s a guide, no matter how small, that you can use. I am a starting IT staff, not the administrator yet. Our designated one, however, doesn’t seem to care about letting us know on what’s happening, so I definitely cannot count on him to teach me a thing or two about Exchange. Isn’t that such a bad thing? Nevertheless, I better get ready for anything since I’m out to prove that I am way better than him. Haha!

  2. Anne C. · June 2, 2013

    We are on the same boat, Earl John! I find it quite disheartening that my boss does not have the intention of teaching or training us in anything related to Microsoft Exchange. Exchange is a little complicated; thus, I have been having a hard time doing my work. So it is a good thing that Microsoft almost always comes up with good solutions to fix errors and squash misconceptions. Security is a big issue for me, that is why I try my best to work around the flaws in Exchange, regardless of whether my boss helps me out or not.

Leave A Reply