Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Vulnerability protection

Microsoft Exchange Server vulnerabilities could allow remote code execution


Report ID: MS201208007
Date Published: 15 August 2012

Criticality: Critical
Compromise Type: remote-code-execution
Compromise From: remote


Affected Product/Component:

Microsoft Exchange Server 2007
Microsoft Exchange Server 2010




Summary

Microsoft has released a security update to address multiple vulnerabilities in Microsoft Exchange Server, involving Oracle Outside In libraries. Each of the vulnerability could allow an attacker to execute arbitrary code and take control of an affected system. 



Detailed Description

Microsoft has released a security update to address multiple vulnerabilties in Microsoft Exchange Server that specifically involve Oracle Outside In libraries. Oracle Outside In libraries are licensed from Oracle, and are used to support the WebReady feature that allows user to view certain attachment as a webpage instead of opening it using a local application in order to view the content.

The vulnerabilities addressed in the update were all resulted from using the WebReady Document Viewer to preview a specially crafted file. Upon successful exploitation, an attacker could execute code on the affected server, but only as LocalService.

The patch for these vulnerabilities has been introduced through the latest update, which updates the affected Oracle Outside In libraries to a non-vulnerable version. Users are recommended to install this update onto their system as a protection measure against potential exploit attemtps.



CVE Reference

CVE-2012-1766, CVE-2012-1767, CVE-2012-1768, CVE-2012-1769, CVE-2012-1770, CVE-2012-1771, CVE-2012-1772, CVE-2012-1773, CVE-2012-3106, CVE-2012-3107, CVE-2012-3108, CVE-2012-3109, CVE-2012-3110



Solution

Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms12-058)




Security Advisories

For a list of known vulnerabilities affecting F-Secure products and the released fixes, please refer to the Security Advisories page.