December’s Patch for Exchange – What You Need to Know

Dec patch updateWe reported yesterday at http://www.theemailadmin.com/2013/12/decembers-patch-tuesday-includes-critical-exchange-update/ that this month’s Microsoft updates would include a critical patch for Exchange. It’s now “Patch Tuesday” and we’ve got more details on what is designated as MS13-105. Here’s what you need to know.

The issue

There are three publicly disclosed vulnerabilities in various versions of Exchange, plus a fourth that has not been disclosed publicly. Being publicly disclosed, there is a heightened awareness of the issues, that can easily lead to exploit code being developed and released into the wild. Once again, we see that the WebReady Document Viewing component, and the DLP component, are both involved. Exploits can be accomplished by sending an email message with a malicious attachment, and then either convincing a user to view the attachment through OWA, or passing the attachment through DLP for analysis. The problem code is contained in the Oracle Outside libraries.

The impact

Should an attacker successfully exploit this vulnerability, then they can make the server perform remote code execution in the security context of the LocalService account. While the LocalService account has limited privileges on the operating system, and can only access network resources as Anonymous, remote code execution is bad in any scenario. In other words, this is the small yield thermonuclear warhead of impacts. Microsoft rates this as “Critical,” which means you want to patch this now. There’s not yet been any reports of exploits in the wild, but you don’t want to wait to hear about an exploited system before you start patching.

What is affected

The following versions of Exchange are impacted. These include the most recent SPs, CUs, and RUs. If you are running a currently supported version of these Exchange releases, you’re vulnerable.

  • Exchange 2013
  • Exchange 2010
  • Exchange 2007

What is not affected

Exchange 2003 is not vulnerable to this, primarily because it doesn’t offer the functionality of Web Ready viewing and has no DLP capabilities.

What you should do

Test this patch in your lab environment right now, and deploy it immediately. The only real workaround is to block attachments completely, which is not really a workaround at all that any of us could do.

More reading

You can read more information about this in KB 2915705 https://support.microsoft.com/kb/2915705.  The vulnerabilities have also been published in the following CVEs.

So, get this deployed in your lab, make sure your QA tests pass, and then deploy it to all servers in your environment as soon as you can. I like to patch servers in this order.

  1. Edge Transport
  2. CAS
  3. Hub Transport
  4. Mailbox                 
  5. UC.

If you are a CAS-CAS proxy customer, make sure you patch the Internet facing CAS first, and then the internal CAS server.

Written by Casper Manes

I currently work as a Senior Messaging Consultant for one of the premier consulting firms in the world, I cut my teeth on Exchange 5.0, and have worked with every version of Microsoft’s awesome email package since then, as well as MHS, Sendmail, and MailEnable systems. I've written dozens of articles on behalf of my past employers, their partners, and others, and I finally decided to embrace blogging and social media, so please follow me on Twitter @caspermanes if you enjoy my posts.

1 Comment

  1. Dannie · December 31, 2013

    I’m pretty new to this whole Exchange thing. I don’t really use or need to use it, but I hear a lot of my friends talking about it. Yours is the first post that I’ve read about Exchange and there are a lot of terms that are foreign-sounding to me. Anyway, I’d appreciate it if you can explain to me in simpler terms what a patch can do for Exchange users. How important is it? Does it help make the whole system better? I have no other reason for asking except to learn something new and be able to talk to my friends when they start telling stories about their Exchange experiences. I’d like to try it out sometime, but my computer system is not suited for it.

Leave A Reply