NY.gov Portal State Agency Listing
The following cyber advisory was issued by the New York State Office of Information Technology Services and is intended for State government entities. The information may or may not be applicable to the general public and, accordingly, the State does not warrant its use for any specific purposes.

ITS ADVISORY NUMBER:
2013-074 - Updated

DATE(S) ISSUED:
8/13/2013
8/16/2013 - UPDATED

SUBJECT:
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (MS13-061)

ORIGINAL OVERVIEW:

Multiple vulnerabilities have been reported in Microsoft Exchange Server WebReady Document viewing  and the Data Loss Prevention (DLP) feature that could allow remote code execution. Microsoft Exchange provides email, calendar, and contacts for corporate environments. MS Exchange Server WebReady document viewing is a feature that allows Outlook Web Access (OWA) users to view attachments such as Microsoft Office documents within the browser. Exploitation of these vulnerabilities could occur by sending an email with a specially crafted file to a user on an affected Exchange server

Successful exploitation could allow an attacker to run arbitrary code within the context of the LocalService account on the affected Microsoft Exchange Server. Depending on the privileges associated with the account, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

August 16 - UPDATED OVERVIEW:
Microsoft has removed the update for Microsoft Exchange 2013 in bulletin MS13-061. The update causes multiple errors on the server. Microsoft is researching this problem and will post more information when the information becomes available. Microsoft Exchange 2007 and Microsoft Exchange 2010 are unaffected by this issue.

SYSTEMS AFFECTED:

  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

ORIGINAL DESCRIPTION:
Multiple vulnerabilities have been discovered in Microsoft Exchange Server WebReady Document Viewing and the Data Loss Prevention feature. These vulnerabilities could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. WebReady is enabled by default.

These issues exist due to vulnerabilities contained within libraries of Oracle Outside In, which are used when handling and rendering unstructured document formats. If disabled, OWA users may not be able to preview the content of email attachments.

To exploit these vulnerabilities, an attacker sends  a specially crafted file to the Exchange server or user on a vulnerable version of Microsoft Exchange. When the user opens the document within their browser, the specially crafted file runs within the privilege context of the LocalService account on the Microsoft Exchange Server. The LocalService account by default has limited system and file system privileges and sends only anonymous credentials over the network.

Successful exploitation could allow an attacker to run arbitrary code within the context of the LocalService account on the affected Microsoft Exchange Server. Depending on the privileges associated with the account, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights.

August 16 - UPDATED DESCRIPTION:
Microsoft has removed the update for Microsoft Exchange 2013 in bulletin MS13-061. If you have already installed the update for Microsoft Exchange 2013 and are experiencing;

  • The content index (CI) for mailbox databases shows "Failed" on the affected server.
  • The Microsoft Exchange Search Host Controller service is missing.
  • You see a new service that is named "Host Controller service for Exchange."

A workaround has been developed. You can view this in the following Microsoft Knowledge Base Article: http://support.microsoft.com/kb/2879739. Microsoft is researching this problem and will post more information when the information becomes available. The update does not cause issues with Microsoft Exchange 2007 or Microsoft Exchange 2010.

ORIGINAL RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Evaluate the relative need for WebReady viewing. Disable if deemed non-essential.
  • Apply the principle of Least Privilege to all services
  • Remind users not to open email attachments from unknown users or suspicious emails from trusted sources.

August 16 - UPDATED RECOMMENDATION:

  • If you have already updated Microsoft Exchange Server 2013 and are receiving errors, please refer to Knowledge Base Article 2879739. This article can be found at the following link: http://support.microsoft.com/kb/2879739

ORIGINAL REFERENCES:
Microsoft:
https://technet.microsoft.com/en-us/security/bulletin/ms13-061

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3781
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3776
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2393

August 16 - UPDATED REFERENCE:
Microsoft:
http://support.microsoft.com/kb/2879739