September Patch Tuesday plugs critical Exchange Server exploit

Atop the list of 14 security bulletins issued in Microsoft's September Patch Tuesday is a critical update to close a significant exploit in Exchange Server.

After a slow August, kids are back to school in September and Microsoft is back to business with a busy Patch Tuesday.

Microsoft released 14 security bulletins for September Patch Tuesday and designated seven as critical, including one vulnerability that affects organizations using Exchange Server for their email platform.

Security bulletin MS16-108 describes a file format parsing bug that attackers can exploit using remote-code execution to get complete control of the Exchange Server. This vulnerability affects all supported versions of Exchange Server.

"It's the worst case kind of vulnerability," said Tod Beardsley, senior security research manager at Boston-based Rapid7. "The attack scenario here is the attacker sends anyone in your organization a malicious file -- and done. Game over. Exchange does pre-parsing to find out what kind of file it is [and the exploit] gets triggered before users even get the file."

The vulnerability resides in the popular third-party parsing library called Oracle Outside In that is used by Exchange Server -- and many other commercial products -- to parse a wide variety of file types.

In addition to taking full control of an Exchange Server, the attacker could pull confidential information about users from the Microsoft Outlook application. This exploit will be especially worrisome for administrators -- once the email with the attachment hits the Exchange Server, the hacker overtakes the server.

"We have seen Oracle Outside In patched quite a few times for Exchange Server, but not that recently," said Amol Sarwate, director of vulnerability labs for Qualys Inc., in Redwood City, Calif. "Oracle will send out its patches, then Microsoft has to work those patches into Exchange Server."

In July 2016, Microsoft issued an update to pull Windows Journal from supported Windows systems.  Until that move, Microsoft issued a number of patches for the note-taking application. Due to the embedded nature of the Oracle library, Microsoft may not be able to do much other than continue to issues patches if further Outside In vulnerabilities appear.

"File formats are difficult to process. Adobe has been having issues with Flash and PDFs -- those have had a lot of vulnerabilities. Writing code for the hundreds of file formats which the Oracle library claims to support would be difficult for Microsoft to do by itself," said Sarwate.

To address this Exchange Server vulnerability, the patch for MS16-108 changes how Exchange Server handles parsing, as well as redirect requests and Microsoft Outlook meeting invitation requests.

Safeguarding SharePoint Server  

Another Patch Tuesday security bulletin, MS16-107, deals with Microsoft Office applications but includes several critical vulnerabilities on SharePoint Server.

"SharePoint Server runs these Word and Excel automation services all the time on the server. If the server processes a [malicious] Word or Excel file using these automation services, that triggers the vulnerability and could cause the attacker to get complete control of the SharePoint Server," said Sarwate.

Most larger enterprises that have strict process controls would typically not be susceptible to this type of attack, Sarwate said, but smaller companies may not have such safeguards in place. That could result in exposure when, for example, an administrator uses a web browser on the SharePoint Server and opens a malicious Word or Excel file.

For more information about the remaining September Patch Tuesday security bulletins, visit the Microsoft Security TechCenter site.

Dig Deeper on Windows Server management