November 24, 2014

Microsoft fixes 23 vulnerabilities in Windows, Internet Explorer and Exchange

microsoft logo(LiveHacking.Com) – Microsoft has released eight security updates that address 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. Three of the bulletins are rated as Critical and the remaining five are rated as Important.

The first of the Critical updates (MS13-059) is a cumulative patch for IE. It resolves eleven privately reported vulnerabilities in Microsoft’s browser, the most severe of which could allow remote code execution if a user views a specially crafted webpage. The update affects Internet Explorer 6, 7, 8, 9, and 10 on all supported versions of Windows including Windows 8 and Windows 8 RT. On Windows Server platforms the severity is only Moderate.

The next Critical patch (MS13-060) fixes a vulnerability in the Unicode Scripts Processor included in Microsoft Windows. The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. The fix changes the way that Microsoft Windows parses specific characteristics of OpenType fonts. The bug only affects Windows XP and Windows Server 2003, all other supported versions of Windows are unaffected.

The final Critical bulletin (MS13-061) is a patch for Exchange that addresses three publicly disclosed vulnerabilities in the WebReady Document Viewing and Data Loss Prevention features of Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using the Outlook Web App (OWA). Also the Data Loss Prevention feature contains code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. Exchange 2007, 2010 and 2013 are all affected, only Exchange 2003 is unaffected.

The remaining bulletins are all rated as Important and cover two sets of elevation of privilege bugs, two denial of service vulnerabilities and an information disclosure issue in Active Directory Federation Services (AD FS).

Microsoft releases Exchange Server security advisory due to vulnerabilities in Oracle libraries

(LiveHacking.Com) – Microsoft has released a security advisory detailing vulnerabilities in the Microsoft Exchange and FAST Search Server 2010 for SharePoint. The vulnerabilities are in Oracle’s Outside In libraries, that are used in Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint. The Outside In libraries were updated earlier this month as part a Critical Patch Update released by Oracle.

The Oracle Outside In libraries, that are designed to parse and decode over 500 different file formats, contain several exploitable vulnerabilities which can allow a remote, unauthenticated attacker to run arbitrary code on a vulnerable system. Outside In 8.3.7.77 and earlier fail to properly handle multiple file types when the data is malformed. The file types that have vulnerable parsers are: .VSD, .WSD, .JP2, .DOC, .SXD, .LWP, .PCX, .SXI, .DPT, .PDF, .SAM, .ODG, and .CDR.

Since Exchange uses these libraries it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do.

Workarounds

For Exchange Server 2007/2010 Microsoft recommends disabling the WebReady Document Viewing on the VDir of all CAS Servers. To do this:

  • Launch Exchange Management Shell as a user with Exchange Administrator privileges.
  • Issue the following Powershell Command:
    Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False

This will disable the in-browser document preview functionality. Users could still open and view attachments using the local application.

Microsoft’s Security Research & Defense team has posted a blog that provides more information on the matter as well as details about the workarounds. US-CERT has also published more information on the vulnerabilities.