Microsoft Exchange Server vulnerabilities could allow remote code execution
Report ID: MS201208007
Date Published: 15 August 2012
Compromise Type: remote-code-execution
Compromise From: remote
Microsoft Exchange Server 2007
Microsoft Exchange Server 2010
Microsoft has released a security update to address multiple vulnerabilities in Microsoft Exchange Server, involving Oracle Outside In libraries. Each of the vulnerability could allow an attacker to execute arbitrary code and take control of an affected system.
Microsoft has released a security update to address multiple vulnerabilties in Microsoft Exchange Server that specifically involve Oracle Outside In libraries. Oracle Outside In libraries are licensed from Oracle, and are used to support the WebReady feature that allows user to view certain attachment as a webpage instead of opening it using a local application in order to view the content.
The vulnerabilities addressed in the update were all resulted from using the WebReady Document Viewer to preview a specially crafted file. Upon successful exploitation, an attacker could execute code on the affected server, but only as LocalService.
The patch for these vulnerabilities has been introduced through the latest update, which updates the affected Oracle Outside In libraries to a non-vulnerable version. Users are recommended to install this update onto their system as a protection measure against potential exploit attemtps.
CVE-2012-1766, CVE-2012-1767, CVE-2012-1768, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, CVE-2012-3109, CVE-2012-3110
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-058)