CIS CYBER SECURITY ADVISORIES
MS-ISAC CYBER SECURITY ADVISORY NUMBER:
Vulnerabilities in Microsoft Exchange Server WebReady Document Viewing Could Allow Remote Code Execution (MS12-058)
Multiple vulnerabilities have been reported in Microsoft Exchange Server WebReady Document Viewing that could allow remote code execution. Microsoft Exchange Server provides email, calendar and contacts for corporate environments. MS Exchange Server Web Ready Document viewing is a feature that allows Outlook Web Access (OWA) users to view attachments such as Microsoft Office documents within the browser.
Successful exploitation could allow an attacker to run arbitrary code within the context of the LocalService account on the affected Microsoft Exchange Server. Typically, the LocalService account has minimum privileges on the system.
- Microsoft Exchange Server 2007 SP 3
- Microsoft Exchange Server 2010 SP 1 & 2
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: N/A
Multiple vulnerabilities have been discovered in Microsoft Exchange Server WebReady Document Viewing that can allow an attacker to take complete control of a Windows Exchange Server. Microsoft Exchange Server WebReady is enabled by default.
This issue exists due to vulnerabilities contained within libraries of Oracle Outside In. These libraries are used when handling and rendering unstructured document formats. If disabled, OWA users may not be able to preview the content of email attachments.
To exploit this vulnerability, an attacker creates a specially crafted file that is sent via e-mail to a user on a vulnerable version of Microsoft Exchange Server. When the user opens the document within their browser, the attackers code runs within the privilege context of the LocalService account on the Microsoft Exchange Server. The LocalService account by default has limited system and file system privileges and sends only anonymous credentials over the network.
Successful exploitation could result in an attacker leveraging other vulnerabilities to escalate their privileges. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
We recommend the following actions be taken:
- Apply appropriate patches provided by Microsoft to vulnerable systems after testing.
- Evaluate the relative need for WebReady viewing and disable if deemed non-essential.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to open un-trusted attachmentsfrom unknown or untrusted sources.