Security Bulletin
Microsoft Security Bulletin MS13-105 - Critical
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2915705)
Published: December 10, 2013 | Updated: December 10, 2013
Version: 1.1
General Information
Executive Summary
This security update resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. These vulnerabilities could allow remote code execution in the security context of the LocalService account if an attacker sends an email message containing a specially crafted file to a user on an affected Exchange server. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network.
This security update is rated Critical for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version, by enabling machine authentication check (MAC) according to best practices, and by ensuring that URLs are properly sanitized. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerabilities entry under the next section, Vulnerability Information.
Recommendation. Customers can configure automatic updating to check online for updates from Microsoft Update by using the Microsoft Update service. Customers who have automatic updating enabled and configured to check online for updates from Microsoft Update typically will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates from Microsoft Update and install this update manually. For information about specific configuration options in automatic updating in supported editions of Windows XP and Windows Server 2003, see Microsoft Knowledge Base Article 294871. For information about automatic updating in supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2, see Understanding Windows automatic updating.
For administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update immediately using update management software, or by checking for updates using the Microsoft Update service.
See also the section, Detection and Deployment Tools and Guidance, later in this bulletin.
Known Issues. None
Knowledge Base Article
| Knowledge Base Article | 2915705 |
|---|---|
| File information | Yes |
| SHA1/SHA2 hashes | Yes |
| Known issues | Yes |
Affected and Non-Affected Software
The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.
Affected Software
| Software | Maximum Security Impact | Aggregate Severity Rating | Updates Replaced |
|---|---|---|---|
| Microsoft Server Software | |||
| Microsoft Exchange Server 2007 Service Pack 3 (2903911) | Remote Code Execution | Critical | 2873746 in MS13-061 |
| Microsoft Exchange Server 2010 Service Pack 2 (2903903) | Remote Code Execution | Critical | 2874216 in MS13-061 |
| Microsoft Exchange Server 2010 Service Pack 3 (2905616) | Remote Code Execution | Critical | 2866475 in MS13-061 |
| Microsoft Exchange Server 2013 Cumulative Update 2 (2880833) | Remote Code Execution | Critical | 2866475 in MS13-061 |
| Microsoft Exchange Server 2013 Cumulative Update 3 (2880833) | Remote Code Execution | Critical | None |
Non-Affected Software
| Microsoft Server Software |
|---|
| Microsoft Exchange Server 2003 Service Pack 2 |
Update FAQ
What happens if a security update or any other interim update patch is uninstalled?
Removing any security update or interim update patch on Exchange Server 2013 Cumulative Update 2 will cause the content indexing service to fail. To restore full functionality it will be necessary to follow the steps outlined in Knowledge Base Article 2879739 These instructions do not apply to Cumulative Update 3 or later.
The Oracle Critical Patch Update advisoriesdiscuss multiple vulnerabilities.Which vulnerabilities does this update address?
This update addresses two vulnerabilities: CVE-2013-5763 and CVE-2013-5791, as discussed in Oracle Critical Patch Update Advisory - October 2013.
Does this update contain any non-security related changes to functionality?
No, Exchange Server 2013 Security Updates only contain fixes for the issue(s) identified in the security bulletin.
Update Rollups for Exchange Server 2007 and Exchange Server 2010 may contain additional new fixes but do not for this particular release.
The update rollups which address the issues in this bulletin contain only security fixes which have been released since the previous update rollup for each product became available. Exchange Server 2007 and Exchange Server 2010 rollups are cumulative; therefore the package will contain all previously released security and non-security fixes that were contained in previous rollups. Customers who have not remained current in their deployment of update rollups may experience new functionality after applying this update.
Two of the vulnerabilitiesare vulnerabilities in third-party code, Oracle Outside In libraries. Why is Microsoft issuing a security update?
Microsoft licenses a custom implementation of the Oracle Outside In libraries, specific to the product in which the third-party code is used. Microsoft is issuing this security update to help ensure that all customers using this third-party code in Microsoft Exchange are protected from these vulnerabilities.
I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Vulnerability Information
Severity Ratings and Vulnerability Identifiers
The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the December bulletin summary. For more information, see Microsoft Exploitability Index.
| Affected Software | Oracle Outside In Contains Multiple Exploitable Vulnerabilities:\ CVE-2013-5763 | Oracle Outside In Contains Multiple Exploitable Vulnerabilities:\ CVE-2013-5791 | MAC Disabled Vulnerability - CVE-2013-1330 | OWA XSS Vulnerability - CVE-2013-5072 | Aggregate Severity Rating |
|---|---|---|---|---|---|
| Microsoft Exchange Server 2007 Service Pack 3 \ (2903911) | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Not applicable | Critical |
| Microsoft Exchange Server 2010 Service Pack 2 \ (2903903) | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Important \ Elevation of Privilege | Critical |
| Microsoft Exchange Server 2010 Service Pack 3 \ (2905616) | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Important \ Elevation of Privilege | Critical |
| Microsoft Exchange Server 2013 Cumulative Update 2 \ (2880833) | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Important \ Elevation of Privilege | Critical |
| Microsoft Exchange Server 2013 Cumulative Update 3 \ (2880833) | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Critical \ Remote Code Execution | Important \ Elevation of Privilege | Critical |
Oracle Outside In Contains Multiple Exploitable Vulnerabilities
Two of the vulnerabilities addressed in this bulletin, CVE-2013-5763 and CVE-2013-5791, exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature. The vulnerabilities could allow remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser. An attacker who successfully exploited this vulnerability could run code on the affected Exchange Server, but only as the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.
In addition, CVE-2013-5763 and CVE-2013-5791 exist in Exchange Server 2013 through the Data Loss Protection (DLP) feature. This vulnerability could cause the affected Exchange Server to become unresponsive if a user sends or receives a specially crafted file.
To view these vulnerabilities as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-5763 and CVE-2013-5791.
Mitigating Factors
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
- The transcoding service in Exchange that is used for WebReady Document Viewing is running in the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.
- The Filtering Management service in Exchange that is used for Data Loss Prevention is running in the LocalService account. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network.
Workarounds
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
Disable Data Loss Prevention (Exchange Server 2013 only)
Log in to the Exchange Management Shell as an Exchange Organization Administrator.
Issue one of the following PowerShell commands depending upon the version of Exchange Server 2013 installed:
For Exchange Server 2013 Cumulative Update 2 or Cumulative Update 3:
Add-PSSnapin Microsoft.Forefront.Filtering.Management.PowerShell Set-TextExtractionScanSettings -EnableModules AdeModule.dll, FilterModule.dll, TextConversionModule.dll
Impact of workaround. DLP policies that depend on the Outside In libraries will not function. The script provided for the Cumulative Updates will cause the Transport and Filtering Management services to restart.
How do I undo the workaround?
Log in to the Exchange Management Shell as an Exchange Organization Administrator.
Issue one of the following PowerShell commands, depending on the version of Exchange Server 2013 installed:
For Exchange Server 2013 Cumulative Update 2 or Cumulative Update 3:
Add-PSSnapin Microsoft.Forefront.Filtering.Management.PowerShell Set-TextExtractionScanSettings -EnableModules AdeModule.dll, FilterModule.dll, TextConversionModule.dll OutsideInModule.dll
Disable WebReady document view (Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013)
Log in to the Exchange Management Shell as an Exchange Organization Administrator.
Issue the following PowerShell command:
Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010' -or $_.OwaVersion -eq 'Exchange2013'} | Set-OwaVirtualDirectory - WebReadyDocumentViewingOnPublicComputersEnabled:$False - WebReadyDocumentViewingOnPrivateComputersEnabled:$False
Impact of workaround. OWA users may not be able to preview the content of email attachments.
How do I undo the workaround?
Log in to the Exchange Management Shell as an Exchange Organization Administrator.
Issue the following PowerShell command:
Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007' -or $_.OwaVersion -eq 'Exchange2010' -or $_.OwaVersion -eq 'Exchange2013'} | Set-OwaVirtualDirectory - WebReadyDocumentViewingOnPublicComputersEnabled:$True - WebReadyDocumentViewingOnPrivateComputersEnabled:$TrueNote The above steps assume the Exchange Administrator had previously allowed WebReady Documents to be viewed on both Public and Private logons to OWA. The appropriate $True or $False value should be used to set the desired behavior based upon user logon.
FAQ
What is the scope of the vulnerabilities?
These are remote code execution vulnerabilities.
What causes the vulnerabilities?
The vulnerabilities are caused when a vulnerable version of the Oracle Outside In libraries is used to parse specially crafted files.
What are the Oracle Outside In libraries?
In Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013, Outlook Web App (OWA) users are provided with a feature called WebReady Document Viewing that allows users to view certain attachments as webpages instead of relying on local applications to open or view them. The Oracle Outside In libraries are used by the conversion process on the server backend to support the WebReady feature. Microsoft licenses these libraries from Oracle.
In Exchange Server 2013, Exchange Data Loss Prevention (DLP) leverages the Oracle Outside In libraries as part of its file scanning capabilities.
What is WebReady Document Viewing?
The WebReady Document Viewing feature allows users to view certain attachments as a webpage. Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 do the conversion, so the user does not need anything other than a web browser to view the attachments.
What is Data Loss Prevention (DLP)?
Data Loss Prevention (DLP) is a feature of Exchange 2013 that allows customers to identify, monitor, and protect sensitive data through deep content analysis.
What might an attacker use these vulnerabilities to do?
In Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013, an attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the transcoding service in Exchange that is used by the WebReady Document Viewing feature.
In Exchange Server 2013, an attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the Filtering Management service in Exchange that is used by the Data Loss Prevention feature.
Both the transcoding service used by the WebReady Document Viewing feature and the Filtering Management service used by the Data Loss Prevention feature run as the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.
How could an attacker exploit these vulnerabilities?
An attacker could send an email message containing a specially crafted file to a user on an affected Exchange server.
In Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013, the vulnerabilities could be exploited through the WebReady Document Viewing feature if a user previews an email message that contains a specially crafted file using Outlook Web App (OWA).
In Exchange Server 2013, the vulnerabilities could be exploited through the Data Loss Prevention feature if an email message that contains a specially crafted file is received by the Exchange server.
What systems are primarily at risk from the vulnerabilities?
Systems running affected versions of Exchange Server are primarily at risk from these vulnerabilities.
What does the update do?
The update addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version.
When this security bulletin was issued, had these vulnerabilities been publicly disclosed?
Yes. These vulnerabilities have been publicly disclosed. They have been assigned the following Common Vulnerability and Exposure numbers:
When this security bulletin was issued, had Microsoft received any reports that these vulnerabilities were being exploited?
No. Microsoft had not received any information to indicate that these vulnerabilities had been publicly used to attack customers when this security bulletin was originally issued.
MAC Disabled Vulnerability - CVE-2013-1330
A remote code execution vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Outlook Web Access (OWA) service, which runs under the Local System account by default.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-1330.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
FAQ
What is the scope of the vulnerability?
This is a remote code execution vulnerability.
What causes the vulnerability?
This vulnerability is caused when Exchange Server does not properly validate input.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the Outlook Web Access (OWA) service, which runs under the Local System account by default.
How could an attacker exploit the vulnerability?
In an attack scenario, the attacker could send specially crafted content to the target server.
What systems are primarily at risk from the vulnerability?
Any system running an affected version of Exchange Server that is running Outlook Web Access is affected by this vulnerability.
What does the update do?
The update addresses the vulnerability by enabling machine authentication check (MAC) according to best practices.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2013-1330.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
OWA XSS Vulnerability - CVE-2013-5072
An elevation of privilege vulnerability exists in Microsoft Exchange Server. An attacker who successfully exploited this vulnerability could run script in the context of the current user.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2013-5072.
Mitigating Factors
Microsoft has not identified any mitigating factors for this vulnerability.
Workarounds
Microsoft has not identified any workarounds for this vulnerability.
FAQ
What is the scope of the vulnerability?
This is an elevation of privilege vulnerability.
What causes the vulnerability?
This vulnerability is caused when Exchange Server does not properly validate input.
What is cross-site scripting?
Cross-site scripting (XSS) is a class of security vulnerability that can enable an attacker to inject script code into a user's session with a website. The vulnerability can affect web servers that dynamically generate HTML pages. If these servers embed browser input in the dynamic pages that they send back to the browser, these servers can be manipulated to include maliciously supplied content in the dynamic pages. This can allow malicious script to be executed. Web browsers may perpetuate this problem through their assumptions of trusted sites and their use of cookies to maintain persistent state with the websites that they frequent. An XSS attack does not modify website content. Instead, it inserts new, malicious script that can execute at the browser in the context that is associated with a trusted server.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could read content that the attacker is not authorized to read, use the victim's identity to take actions on the Outlook Web Access site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim.
How could an attacker exploit the vulnerability?
For this vulnerability to be exploited, a user must click a specially crafted URL that takes the user to a targeted Outlook Web Access site.
In an email attack scenario, an attacker could exploit the vulnerability by sending an email message containing the specially crafted URL to the user of the targeted Outlook Web Access site and convincing the user to click the specially crafted URL.
In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL to the targeted Outlook Web Access site that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL.
What systems are primarily at risk from the vulnerability?
Any system that is used to access an affected version of Outlook Web Access would potentially be at risk to attack.
What does the update do?
The update addresses the vulnerability by ensuring that URLs are properly sanitized.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
Update Information
Detection and Deployment Tools and Guidance
Several resources are available to help administrators deploy security updates.
- Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations.
- Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager help administrators distribute security updates.
- The Update Compatibility Evaluator components included with Application Compatibility Toolkit aid in streamlining the testing and validation of Windows updates against installed applications.
For information about these and other tools that are available, see Security Tools for IT Pros.
Security Update Deployment
Affected Software
For information about the specific security update for your affected software, click the appropriate link:
Microsoft Exchange Server 2007 Service Pack 3
Reference Table
The following table contains the security update information for this software.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
|---|---|
| Security update file name | For Microsoft Exchange Server 2007 Service Pack 3:\ Exchange2007-KB2903911-x64-EN.msp |
| Installation switches | See Microsoft Knowledge Base Article 912203 |
| Restart requirement | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Update log file | KB2903911.log |
| Removal information | Use Add or Remove Programs item in Control Panel. |
| File information | See Microsoft Knowledge Base Article 2903911 |
| Registry key verification | For Microsoft Exchange Server 2007 Service Pack 3:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2007\SP2\KB2903911 |
Microsoft Exchange Server 2010 Service Pack 2
Reference Table
The following table contains the security update information for this software.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
|---|---|
| Security update file name | For Microsoft Exchange Server 2010 Service Pack 2:\ Exchange2010-KB2903903-x64-en.msp |
| Installation switches | See Microsoft Knowledge Base Article 912203 |
| Restart requirement | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Update log file | KB2903903.log |
| Removal information | Use Add or Remove Programs item in Control Panel. |
| File information | See Microsoft Knowledge Base Article 2903903 |
| Registry key verification | For Microsoft Exchange Server 2010 Service Pack 2:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2010\SP1\KB2903903 |
Microsoft Exchange Server 2010 Service Pack 3
Reference Table
The following table contains the security update information for this software.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or update rollup |
|---|---|
| Security update file name | For Microsoft Exchange Server 2010 Service Pack 3:\ Exchange2010-KB2905616-x64-en.msp |
| Installation switches | See Microsoft Knowledge Base Article 912203 |
| Restart requirement | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Update log file | KB2905616.log |
| Removal information | Use Add or Remove Programs item in Control Panel. |
| File information | See Microsoft Knowledge Base Article 2905616 |
| Registry key verification | For Microsoft Exchange Server 2010 Service Pack 3:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2010\SP3\KB2905616 |
Microsoft Exchange Server 2013
Reference Table
The following table contains the security update information for this software.
| Inclusion in Future Service Packs | The update for this issue will be included in a future service pack or cumulative update. |
|---|---|
| Security update file name | For Microsoft Exchange Server 2013 Cumulative Update 2 and Microsoft Exchange Server 2013 Cumulative Update 3:\ Exchange2013-KB2880833-x64-en.msp |
| Installation switches | See Microsoft Knowledge Base Article 912203 |
| Restart requirement | No, this update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.\ \ To help reduce the chance that a restart will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart, see Microsoft Knowledge Base Article 887012. |
| Update log file | KB2880833.log |
| Removal information | Use Add or Remove Programs item in Control Panel. |
| File information | See Microsoft Knowledge Base Article 2880833 |
| Registry key verification | For supported editions of Microsoft Exchange Server 2013:\ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange 2013\SP1\KB2880833 |
Other Information
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
- Minded Security, on behalf of Criteo, for reporting the OWA XSS Vulnerability (CVE-2013-5072)
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please go to the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Support
How to obtain help and support for this security update
- Help installing updates: Support for Microsoft Update
- Security solutions for IT professionals: TechNet Security Troubleshooting and Support
- Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
- Local support according to your country: International Support
Disclaimer
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (December 10, 2013): Bulletin published.
- V1.1 (December 10, 2013): Updated the Known Issues entry in the Knowledge Base Article section from "None" to "Yes".
Built at 2014-04-18T13:49:36Z-07:00