June 14, 2021

Microsoft releases Exchange Server security advisory due to vulnerabilities in Oracle libraries

(LiveHacking.Com) – Microsoft has released a security advisory detailing vulnerabilities in the Microsoft Exchange and FAST Search Server 2010 for SharePoint. The vulnerabilities are in Oracle’s Outside In libraries, that are used in Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. The Outside In libraries were updated earlier this month as part a Critical Patch Update released by Oracle.

The Oracle Outside In libraries, that are designed to parse and decode over 500 different file formats, contain several exploitable vulnerabilities which can allow a remote, unauthenticated attacker to run arbitrary code on a vulnerable system. Outside In and earlier fail to properly handle multiple file types when the data is malformed. The file types that have vulnerable parsers are: .VSD, .WSD, .JP2, .DOC, .SXD, .LWP, .PCX, .SXI, .DPT, .PDF, .SAM, .ODG, and .CDR.

Since Exchange uses these libraries it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do.


For Exchange Server 2007/2010 Microsoft recommends disabling the WebReady Document Viewing on the VDir of all CAS Servers. To do this:

  • Launch Exchange Management Shell as a user with Exchange Administrator privileges.
  • Issue the following Powershell Command:
    Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

This will disable the in-browser document preview functionality. Users could still open and view attachments using the local application.

Microsoft’s Security Research & Defense team has posted a blog that provides more information on the matter as well as details about the workarounds. US-CERT has also published more information on the vulnerabilities.