Security Bulletin

Microsoft Security Bulletin MS13-061 - Critical

Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063)

Published: August 13, 2013 | Updated: August 27, 2013

Version: 3.0

General Information

Executive Summary

This security update resolves three publicly disclosed vulnerabilities in Microsoft Exchange Server. The vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing uses the credentials of the LocalService account. The Data Loss Prevention feature hosts code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. The Filtering Management service in Exchange uses the credentials of the LocalService account. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network.

This security update is rated Critical for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerabilities entry under the next section, Vulnerability Information.

Recommendation. Customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates from Microsoft Update and install this update manually. For information about specific configuration options in automatic updating in supported editions of Windows XP and Windows Server 2003, see Microsoft Knowledge Base Article 294871. For information about automatic updating in supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, see Understanding Windows automatic updating.

For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.

See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.

Known Issues. None

Knowledge Base Article

Knowledge Base Article 2876063
File information Yes
SHA1/SHA2 hashes Yes
Known issues Yes

Affected and Non-Affected Software

The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Affected Software

Software Maximum Security Impact Aggregate Severity Rating Updates Replaced
Microsoft Server Software
Microsoft Exchange Server 2007 Service Pack 3  (2873746) Remote Code Execution Critical 2788321 in MS13-012
Microsoft Exchange Server 2010 Service Pack 2  (2874216) Remote Code Execution Critical 2746164 in MS13-012
Microsoft Exchange Server 2010 Service Pack 3  (2866475) Remote Code Execution Critical None
Microsoft Exchange Server 2013 Cumulative Update 1  (2874216) Remote Code Execution Critical None
Microsoft Exchange Server 2013 Cumulative Update 2  (2874216) Remote Code Execution Critical None

** **

Non-Affected Software 

Microsoft Server Software
Microsoft Exchange Server 2003 Service Pack 2 

Update FAQ

Why was this bulletin revised on August 27, 2013?  Microsoft rereleased this bulletin to announce the reoffering of the 2874216 update affecting Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2. The rereleased update resolves an issue with the original update, released on August 13, 2013, that could cause Exchange Server to stop indexing mail on servers. Customers who already installed the original update will be reoffered the 2874216 update and are encouraged to apply it at the earliest opportunity.

If I am running the first offering of 2874216, do I need to execute the steps outlined in KB 2879739 after applying the rereleased update?   This rereleased update addresses the issue that caused the original 2874216 update to install incorrectly on Exchange servers that previously had not been updated. To restore full functionality to any server that has had the first offering of 2874216 installed on it, administrators need to apply the rereleased 2874216 update and also follow the steps detailed in Knowledge Base Article 2879739.

What happens if a security update or any other interim update patch is uninstalled?  Removing any security update or interim update patch will cause the content indexing service to fail. To restore full functionality it will be necessary to follow the steps outlined in Knowledge Base Article 2879739. The ability to uninstall a security or interim update issue will be resolved in Cumulative Update 3.

Why was this bulletin revised on August 14, 2013? What happened to the original 2874216security updates for Microsoft Exchange Server 2013?  Microsoft is aware of an issue with the 2874216 updates affecting Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 that could cause Exchange Server to stop indexing mail on servers. Microsoft has removed the updates from Windows Update and the Download Center and is investigating the issue. Microsoft will release new packages once the issue has been resolved.

The Oracle Critical Patch Update advisoriesdiscuss multiple vulnerabilities.Which vulnerabilities does this update address?
This update addresses three vulnerabilities: CVE-2013-3781 and CVE-2013-3776, as discussed in Oracle Critical Patch Update Advisory - July 2013, and CVE-2013-2393, as discussed in Oracle Critical Path Update Advisory - April 2013.

Does this update contain any non-security related changes to functionality?
Yes, depending on the version of Microsoft Exchange Server installed. In addition to the changes that are listed in the Vulnerability Information section of this bulletin, this update includes other functionality changes as described in the associated KB articles for the affected rollup updates listed below.

These are vulnerabilities in third-party code, Oracle Outside In libraries. Why is Microsoft issuing a security update?
Microsoft licenses a custom implementation of the Oracle Outside In libraries, specific to the product in which the third-party code is used. Microsoft is issuing this security update to help ensure that all customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

Vulnerability Information

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary. For more information, see Microsoft Exploitability Index.

Affected Software Oracle Outside In Contains Multiple Exploitable Vulnerabilities:\ CVE-2013-2393 Oracle Outside In Contains Multiple Exploitable Vulnerabilities:\ CVE-2013-3776 Oracle Outside In Contains Multiple Exploitable Vulnerabilities:\ CVE-2013-3781 Aggregate Severity Rating
Microsoft Exchange Server 2007 Service Pack 3 \ (2873746) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical
Microsoft Exchange Server 2010 Service Pack 2 \ (2874216) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical
Microsoft Exchange Server 2010 Service Pack 3 \ (2866475) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical
Microsoft Exchange Server 2013 Cumulative Update 1 \ (2874216) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical
Microsoft Exchange Server 2013 Cumulative Update 2 \ (2874216) Critical \ Remote Code Execution Critical \ Remote Code Execution Critical \ Remote Code Execution Critical

Oracle Outside In Contains Multiple Exploitable Vulnerabilities

Two of the three vulnerabilities addressed in this bulletin, CVE-2013-2393 and CVE-2013-3776, exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser. An attacker who successfully exploited this vulnerability could run code on the affected Exchange Server, but only as the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.

The third vulnerability, CVE-2013-3781, exists in Exchange Server 2013 through the Data Loss Protection (DLP) feature. This vulnerability could cause the affected Exchange Server to become unresponsive if a user views a specially crafted file through Outlook Web Access in a browser.

To view these vulnerabilities as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-2393, CVE-2013-3776, and CVE-2013-3781.

Mitigating Factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network. This is a mitigating factor for CVE-2013-3776 and CVE-2013-3781.
  • The Filtering Management service in Exchange that is used for Data Loss Prevention is running in the LocalService account. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network. This is a mitigating factor for CVE-2013-3776 and CVE-2013-3781

Workarounds

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

  • Disable Data Loss Prevention (Exchange Server 2013 only)

    1. Log in to the Exchange Management Shell as an Exchange Organization Administrator.

    2. Issue one of the following PowerShell commands depending upon the version of Exchange Server 2013 installed:

      For Exchange Server 2013 Cumulative Update 1:

      %SystemDrive%\Program Files\Microsoft\Exchange Server\V15\Scripts\Disable-OutsideIn.ps1

      For Exchange Server 2013 Cumulative Update 2:

      Set-TextExtractionScanSettings -EnableModules AdeModule.dll, FilterModule.dll, TextConversionModule.dll

    Impact of workaround. DLP policies that depend on the Outside In libraries will not function. The script provided for Cumulative Update 1 will cause the Transport and Filtering Management services to restart.

    How do I undo the workaround?

    1. Log in to the Exchange Management Shell as an Exchange Organization Administrator.

    2. Issue one of the following PowerShell commands, depending on the version of Exchange Server 2013 installed:

      For Exchange Server 2013 Cumulative Update 1:

      %SystemDrive%\Program Files\Microsoft\Exchange Server\V15\Scripts\Enable-OutsideIn.ps1

      For Exchange Server 2013 Cumulative Update 2:

      Set-TextExtractionScanSettings -EnableModules AdeModule.dll, FilterModule.dll, TextConversionModule.dll, OutsideInModule.dll

  • Disable WebReady document view

    1. Log in to the Exchange Management Shell as an Exchange Organization Administrator.

    2. Issue the following PowerShell command:

      Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010' -or 
      $_.OwaVersion -eq 'Exchange2013'} | Set-OwaVirtualDirectory - 
      WebReadyDocumentViewingOnPublicComputersEnabled:$False - 
      WebReadyDocumentViewingOnPrivateComputersEnabled:$False
      

    Impact of workaround. OWA users may not be able to preview the content of email attachments.

    How do I undo the workaround?

    1. Log in to the Exchange Management Shell as an Exchange Organization Administrator.

    2. Issue the following PowerShell command:

      Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010' -or 
      $_.OwaVersion -eq 'Exchange2013'} | Set-OwaVirtualDirectory -
      WebReadyDocumentViewingOnPublicComputersEnabled:$True -
      WebReadyDocumentViewingOnPrivateComputersEnabled:$True
      

    Note The above steps assume the Exchange Administrator had previously allowed WebReady Documents to be viewed on both Public and Private logons to OWA. The appropriate $True or $False value should be used to set the desired behavior based upon user logon.

FAQ

What is the scope of the vulnerabilities? 
These are remote code execution vulnerabilities.

What causes the vulnerabilities? 
The vulnerabilities are caused when the Oracle Outside In libraries parse specially crafted files.

What are the Oracle Outside In libraries? 
In Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013, Outlook Web App (OWA) users are provided with a feature called WebReady Document Viewing that allows users to view certain attachments as webpages instead of relying on local applications to open or view them. The Oracle Outside In libraries are used by the conversion process on the server backend to support the WebReady feature. Microsoft licenses these libraries from Oracle.

In Exchange Server 2013, Exchange Data Loss Prevention (DLP) leverages the Oracle Outside In libraries as part of its file scanning capabilities.

What is WebReady Document Viewing? 
WebReady Document Viewing allows users to view certain attachments as a webpage. Exchange 2007, Exchange 2010, and Exchange 2013 do the conversion, so the user does not need anything other than a web browser to view the attachments.

What is Data Loss Prevention (DLP)?
Data Loss Prevention (DLP) is a feature of Exchange 2013 that allows customers to identify, monitor, and protect sensitive data through deep content analysis.

What might an attacker use these vulnerabilities to do? 
An attacker who successfully exploited these vulnerabilities could run arbitrary code as LocalService on the affected Exchange server. An attacker could then install programs; view, change, or delete data; or take any other action that the server process has access to do.

How could an attacker exploit these vulnerabilities? 
An attacker could send an email message containing a specially crafted file to a user on an affected Exchange server.

What systems are primarily at risk from the vulnerabilities? 
Systems running affected versions of Exchange Server are primarily at risk from these vulnerabilities.

What does the update do? 
The update addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version.

When this security bulletin was issued, had these vulnerabilities been publicly disclosed? 
Yes. These vulnerabilities have been publicly disclosed. They have been assigned the following Common Vulnerability and Exposure numbers:

When this security bulletin was issued, had Microsoft received any reports that these vulnerabilities were being exploited? 
No. Microsoft had not received any information to indicate that these vulnerabilities had been publicly used to attack customers when this security bulletin was originally issued.

Update Information

Detection and Deployment Tools and Guidance

Several resources are available to help administrators deploy security updates. 

  • Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations. 
  • Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager (SCCM) help administrators distribute security updates. 
  • The Update Compatibility Evaluator components included with Application Compatibility Toolkit aid in streamlining the testing and validation of Windows updates against installed applications. 

For information about these and other tools that are available, see Security Tools for IT Pros

Security Update Deployment

Affected Software

For information about the specific security update for your affected software, click the appropriate link:

Microsoft Exchange Server 2007 Service Pack 3

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file name For Microsoft Exchange Server 2007 Service Pack 3:\ Exchange2007-KB2873746-x64-EN.msp
Installation switches See Microsoft Knowledge Base Article 912203
Restart requirement No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
Update log file KB2873746.log
Removal information Use Add or Remove Programs item in Control Panel.
File information See Microsoft Knowledge Base Article 2873746
Registry key verification For Microsoft Exchange Server 2007 Service Pack 3:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2007\SP2\KB2873746

Microsoft Exchange Server 2010 Service Pack 2

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file name For Microsoft Exchange Server 2010 Service Pack 2:\ Exchange2010-KB2874216-x64-en.msp
Installation switches See Microsoft Knowledge Base Article 912203
Restart requirement No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
Update log file KB2874216.log
Removal information Use Add or Remove Programs item in Control Panel.
File information See Microsoft Knowledge Base Article 2874216
Registry key verification For Microsoft Exchange Server 2010 Service Pack 2:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2010\SP1\KB2874216

Microsoft Exchange Server 2010 Service Pack 3

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file name For Microsoft Exchange Server 2010 Service Pack 3:\ Exchange2010-KB2866475-x64-en.msp
Installation switches See Microsoft Knowledge Base Article 912203
Restart requirement No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
Update log file KB2866475.log
Removal information Use Add or Remove Programs item in Control Panel.
File information See Microsoft Knowledge Base Article 2866475
Registry key verification For Microsoft Exchange Server 2010 Service Pack 3:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2010\SP3\KB2866475

Microsoft Exchange Server 2013

Reference Table

The following table contains the security update information for this software.

Inclusion in Future Service Packs The update for this issue will be included in a future service pack or update rollup
Security update file name For Microsoft Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2:\ Exchange2013-KB2874216-v2-x64-en.msp
Installation switches See Microsoft Knowledge Base Article 912203
Restart requirement No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012.
Update log file KB2874216.log
Removal information Use Add or Remove Programs item in Control Panel.
File information See Microsoft Knowledge Base Article 2874216
Registry key verification For supported editions of Microsoft Exchange Server 2013:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2013\SP1\KB2874216

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please go to the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Support

How to obtain help and support for this security update

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (August 13, 2013): Bulletin published.
  • V2.0 (August 14, 2013): Rereleased bulletin to remove the 2874216 updates for Microsoft Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2 to address an issue with the updates. See the Update FAQ for details.
  • V3.0 (August 27, 2013): Rereleased bulletin to announce the reoffering of the 2874216 update for Microsoft Exchange Server 2013 Cumulative Update 1 and Microsoft Exchange Server 2013 Cumulative Update 2. See the Update FAQ for details.

Built at 2014-04-18T13:49:36Z-07:00