Microsoft Exchange Server vulnerability could allow remote code execution
Report ID: MS201308003
Date Published: 14 August 2013
Criticality: Critical
Compromise Type: remote-code-execution
Compromise From: remote
Affected Product/Component:
Microsoft Exchange Server 2007
Microsoft Exchange Server 2010
Microsoft Exchange Server 2013
Summary
Three vulnerabilities were reported in Microsoft Exchange Server, two of which could lead to remote code execution while the other one could cause the server to become unresponsive.
Detailed Description
Microsoft has released a security update to address three reported vulnerabilities in the Microsoft Exchange Server. The vulnerabilities exist when the Oracle OutsideIn libraries parse specially crafted files. Upon successful exploitation, two of them could allow an attacker to execute code on the affected system, while the other one could cause the server to become unresponsive.
All of the vulnerabilities have been patched through the latest update, which updated the affected Oracle OutsideIn libraries to a non-vulnerable version. Users are recommended to install the latest update onto their system as a protection measure against potential exploit attempts.
CVE Reference
CVE-2013-2393, 2013-3776, 2013-3781
Solution
Install the latest security patch for applicable system, available for download from (https://technet.microsoft.com/en-us/security/bulletin/ms13-061)
F-Secure Health Check
F-Secure's free tool, the Health Check, detects if your system is missing the patch for the vulnerability covered in this report.
