Microsoft Security Bulletin MS16-079 - Important

Security Update for Microsoft Exchange Server (3160339)

Published: June 14, 2016

Version: 1.0

Executive Summary

This security update resolves vulnerabilites in Microsoft Exchange Server. The most severe of the vulnerabilities could allow information disclosure if an attacker sends a specially crafted image URL in an Outlook Web Access (OWA) message that is loaded, without warning or filtering, from the attacker-controlled URL.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, Microsoft Exchange Server 2013, and Microsoft Exchange Server 2016. For more information, see the Affected Software and Vulnerability Severity Ratings section.

The security update addresses the vulnerabilities by correcting the way that Microsoft Exchange parses HTML messages. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3160339.

Affected Software and Vulnerability Severity Ratings

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

The severity ratings indicated for each affected software assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin’s release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the June bulletin summary.

Microsoft Server Software Microsoft Exchange Information Disclosure Vulnerability - CVE-2016-0028 Oracle Outside In Libraries Elevation of Privilege Vulnerabilities: CVE-2015-6013 CVE-2015-6014 CVE-2015-6015 Updates Replaced*
Microsoft Exchange Server 2007
Microsoft Exchange Server 2007 Service Pack 3 (3151086) Not applicable Important  Elevation of Privilege 2996150 in MS14-075
Microsoft Exchange Server 2010
Microsoft Exchange Server 2010 Service Pack 3 (3151097) Not applicable Important  Elevation of Privilege 2986475 in MS14-075
Microsoft Exchange Server 2013
Microsoft Exchange Server 2013 Service Pack 1 (3150501) Important  Information Disclosure Important  Elevation of Privilege 3124557 in MS16-010
Microsoft Exchange Server 2013 Cumulative Update 11 (3150501) Important  Information Disclosure Important  Elevation of Privilege 3124557 in MS16-010
Microsoft Exchange Server 2013 Cumulative Update 12 (3150501) Important  Information Disclosure Important  Elevation of Privilege None
Microsoft Exchange Server 2016
Microsoft Exchange Server 2016 (3150501) Important  Information Disclosure Important  Elevation of Privilege 3124557 in MS16-010
Microsoft Exchange Server 2016 Cumulative Update 1 (3150501) Important  Information Disclosure Important  Elevation of Privilege None

*The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

Update FAQ

Why is Microsoft issuing a security update for vulnerabilities that are in third-party code, Oracle Outside In libraries?  Microsoft licenses a custom implementation of the Oracle Outside In libraries, specific to the product in which the third-party code is used. Microsoft is issuing this security update to help ensure that all customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities. For more information about these vulnerabilities, see Oracle Critical Patch Update Advisory - January 2016.

Do these updates contain any additional security-related changes to functionality?
The updates listed in the Affected Software and Vulnerability Severity Ratings table include defense-in-depth updates to help improve security-related features, in addition to the changes that are listed for the vulnerability described in this bulletin.

Vulnerability Information

Microsoft Exchange Information Disclosure Vulnerability - CVE-2016-0028

An email filter bypass exists in the way that Microsoft Exchange parses HTML messages that could allow information disclosure. An attacker who successfully exploited the vulnerability could identify, fingerprint, and track a user online if the user views email messages using Outlook Web Access (OWA). An attacker could also combine this vulnerability with another one, such as a Cross-Site Request Forgery (CSRF), to amplify the attack.

To exploit the vulnerability, an attacker could include specially crafted image URLs in OWA messages that could be loaded, without warning or filtering, from the attacker-controlled URL. This callback vector provides an information disclosure tactic used in web beacons and other types of tracking systems. The update corrects the way that Exchange parses HTML messages.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title CVE number Publicly disclosed Exploited
Microsoft Exchange Information Disclosure Vulnerability CVE-2016-0028 No No

Mitigating Factors

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

Oracle Outside In Libraries Elevation of Privilege Vulnerabilities

This security update addresses the following vulnerabilities, which are described in Oracle Critical Patch Update Advisory - January 2016:

  • CVE-2015-6013: Oracle Outside In 8.5.2 WK4 stack buffer overflow
  • CVE-2015-6014: Oracle Outside In 8.5.2 DOC stack buffer overflow
  • CVE-2015-6015: Oracle OIT 8.5.2 Paradox DB stack buffer overflow

Security Update Deployment

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced in the Executive Summary.

Acknowledgments

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (June 14, 2016): Bulletin published.

Page generated 2016-06-08 10:44-07:00.