We reported yesterday at http://www.theemailadmin.com/2013/12/decembers-patch-tuesday-includes-critical-exchange-update/ that this month’s Microsoft updates would include a critical patch for Exchange. It’s now “Patch Tuesday” and we’ve got more details on what is designated as MS13-105. Here’s what you need to know.
There are three publicly disclosed vulnerabilities in various versions of Exchange, plus a fourth that has not been disclosed publicly. Being publicly disclosed, there is a heightened awareness of the issues, that can easily lead to exploit code being developed and released into the wild. Once again, we see that the WebReady Document Viewing component, and the DLP component, are both involved. Exploits can be accomplished by sending an email message with a malicious attachment, and then either convincing a user to view the attachment through OWA, or passing the attachment through DLP for analysis. The problem code is contained in the Oracle Outside libraries.
Should an attacker successfully exploit this vulnerability, then they can make the server perform remote code execution in the security context of the LocalService account. While the LocalService account has limited privileges on the operating system, and can only access network resources as Anonymous, remote code execution is bad in any scenario. In other words, this is the small yield thermonuclear warhead of impacts. Microsoft rates this as “Critical,” which means you want to patch this now. There’s not yet been any reports of exploits in the wild, but you don’t want to wait to hear about an exploited system before you start patching.
What is affected
The following versions of Exchange are impacted. These include the most recent SPs, CUs, and RUs. If you are running a currently supported version of these Exchange releases, you’re vulnerable.
- Exchange 2013
- Exchange 2010
- Exchange 2007
What is not affected
Exchange 2003 is not vulnerable to this, primarily because it doesn’t offer the functionality of Web Ready viewing and has no DLP capabilities.
What you should do
Test this patch in your lab environment right now, and deploy it immediately. The only real workaround is to block attachments completely, which is not really a workaround at all that any of us could do.
You can read more information about this in KB 2915705 https://support.microsoft.com/kb/2915705. The vulnerabilities have also been published in the following CVEs.
So, get this deployed in your lab, make sure your QA tests pass, and then deploy it to all servers in your environment as soon as you can. I like to patch servers in this order.
- Edge Transport
- Hub Transport
If you are a CAS-CAS proxy customer, make sure you patch the Internet facing CAS first, and then the internal CAS server.