Microsoft Security Bulletin MS16-010 - Important

Security Update in Microsoft Exchange Server to Address Spoofing (3124557)

Published: January 12, 2016

Version: 1.0

This security update resolves vulnerabilities in Microsoft Exchange Server. The most severe of the vulnerabilities could allow spoofing if Outlook Web Access (OWA) fails to properly handle web requests, and sanitize user input and email content.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2013 and Microsoft Exchange Server 2016. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by correcting how Microsoft Exchange OWA validates web requests and by helping to ensure that OWA properly sanitizes user input and email content. For more information about the vulnerabilities, see the Vulnerability Information section.

For more information about this update, see Microsoft Knowledge Base Article 3124557.

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Software

Maximum Security Impact

Aggregate Severity Rating

Updates Replaced*

Microsoft Server Software

Microsoft Exchange Server 2013 Service Pack 1
(3124557)

Spoofing

Important

3087126 in MS15-103

Microsoft Exchange Server 2013 Cumulative Update 10
(3124557)

Spoofing

Important

None

Microsoft Exchange Server 2013 Cumulative Update 11
(3124557)

Spoofing

Important

None

Microsoft Exchange Server 2016
(3124557)

Spoofing

Important

None

*The Updates Replaced column shows only the latest update in any chain of superseded updates. For a comprehensive list of updates replaced, go to the Microsoft Update Catalog, search for the update KB number, and then view update details (updates replaced information is provided on the Package Details tab).

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the January bulletin summary.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software

Affected Software

Exchange Spoofing Vulnerability - CVE-2016-0029

Exchange Spoofing Vulnerability - CVE-2016-0030

Exchange Spoofing Vulnerability - CVE-2016-0031

Exchange Spoofing Vulnerability - CVE-2016-0032

Aggregate Severity Rating

Microsoft Server Software

Microsoft Exchange Server 2013 Service Pack 1
(3124557)

Not applicable

Important 
Spoofing

Not applicable

Important 
Spoofing

Important

Microsoft Exchange Server 2013 Cumulative Update 10
(3124557)

Not applicable

Important 
Spoofing

Not applicable

Important 
Spoofing

Important

Microsoft Exchange Server 2013 Cumulative Update 11
(3124557)

Not applicable

Not applicable

Not applicable

Important 
Spoofing

Important

Microsoft Exchange Server 2016
(3124557)

Important 
Spoofing

Important 
Spoofing

Important 
Spoofing

Important 
Spoofing

Important

 

Multiple Exchange Spoofing Vulnerabilities

Multiple spoofing vulnerabilities exist in Microsoft Exchange Server when Outlook Web Access (OWA) fails to properly handle web requests. An attacker who successfully exploited the vulnerabilities could perform script or content injection attacks, and attempt to trick the user into disclosing sensitive information. An attacker could also redirect the user to a malicious website that could spoof content or be used as a pivot to chain an attack with other vulnerabilities in web services.

To exploit the vulnerabilities, an attacker could send a specially crafted email containing a malicious link to a user. An attacker could also use a chat client to social engineer a user into clicking the malicious link. However, in both examples the user must click the malicious link. The security update addresses the vulnerabilities by correcting how OWA validates web requests.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Vulnerability title

CVE number

Publicly disclosed

Exploited

Exchange Spoofing Vulnerability

CVE-2016-0029

No

No

Exchange Spoofing Vulnerability

CVE-2016-0030

No

No

Exchange Spoofing Vulnerability

CVE-2016-0031

No

No

Exchange Spoofing Vulnerability

CVE-2016-0032

No

No


Mitigating Factors

The following mitigating factors may be helpful in your situation:

  • To generate the malicious link, an attacker must already be an authenticated Microsoft Exchange user and be able to send email messages.
  • The malicious link could be sent in an email, but the attacker would have to convince a user to open the link in order to exploit the vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

For Security Update Deployment information, see the Microsoft Knowledge Base article referenced here in the Executive Summary.

Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgments for more information.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

  • V1.0 (January 12, 2015): Bulletin published.

Page generated 2016-03-22 12:35-07:00.
Show: