Wednesday, December 12, 2012

Exchange Server Vulnerability Could Allow Remote Code Execution

Unfortunately, there seems to be another vulnerability in Exchange Server WebReady Document Viewing feature, this time with the third-party code Oracle Outside In libraries.

This security update resolves publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server.

The most severe vulnerabilities are in Microsoft Exchange Server WebReady Document Viewing and could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App.
The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.

This security update is rated Critical for all supported editions of Exchange Server 2007 and 2010!

For more information and to download the update, please see Microsoft Security Bulletin MS12-080 - Critical

1 comment:

  1. It is good to be aware for the possible problems that can occur. Good info!